Red Teaming

4 min read

Jump Into Command Injection with HTB Academy’s New Module

One of HTB Academy's latest modules is part of an exciting new Job Path for bug hunters! An exclusive interview with Command Injections creator 21y4d.

KimCrawley avatar

KimCrawley,
Sep 21
2021

We’re always adding exciting new modules to HTB Academy to address crucial skills that people need in order to succeed in the cybersecurity industry.

Command Injections launched this month, created by HTB training developer 21y4d, application pentester extraordinaire. It’s a key component of our brand new HackerOne Job Path to train hackers in application pentesting and bug bounty work. 

Here’s the official description of our Command Injections module:

“Command injections are among the most critical vulnerabilities in web applications, as they allow direct command execution on the hosting server, thus compromising the server and potentially the entire network. This is why it is vital to look for these types of vulnerabilities through pentesting and secure code review.

This module will teach the basics of identifying and exploiting OS command injections. It also covers techniques to bypass various filters and mitigations used to prevent the exploitation of command injections. This module covers methods for exploiting command injections on both Linux and Windows. This module will also teach how to patch command injection vulnerabilities with examples of secure code.”

I had a chat with 21y4d about the new Command Injection module and what people can expect to learn.

214yd

Kim “Crowgirl” Crawley: Please tell me a little bit about our new HackerOne job role path in HTB Academy. 

21y4d: The HackerOne path is one our our Job Role paths, and teaches the fundamentals of bug bounty hunting. The path is one our our Job Role paths, and teaches the fundamentals of bug bounty hunting. It was launched on September 18thas we announced in this tweet. HackerOne is an excellent resource for bug bounty hunters and Hack The Boxis proud to collaborate with them. 

Crowgirl: So, how can a hacker know whether or not they're ready for Command Injections? What do they need to understand, and what will they learn in your course?

21y4d: Command injection is considered one of the top three vulnerabilities in OWASP Top 10, and among the top ten in HackerOne’s most paid vulnerabilities. The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.

This is because many web developers do not use the secure coding standards, which may lead to various types of injections in web applications, such as SQL injections, code injections, or command injections.

The module only assumes basic knowledge of web exploitation, and carries the student step by step. Starting with identifying basic injection points to inject commands, and then I start to teach how to bypass security filters in place. By the end, the student will not only be able to exploit command injection vulnerabilities, but bypass various types of filters in place, and even create their own custom bypass commands to even bypass Web Application Firewalls that may have a list of common bypass commands.

After that, the module wraps up by teaching how web developers can patch each of the vulnerabilities shown in the module in a secure manner, in both the front-end and the back-end of the web application, thus being able to defend their web application both through secure coding and penetration testing.

Crowgirl: If a hacker already understands SQL injection, does that knowledge transfer into other kinds of command injection?

21y4d: Absolutely. The main concept of injections is shared between SQL injections and command injections, and this concept is taught in our 'SQL Injection Fundamentals' and 'Command Injections' modules, with variations that suits each type of injection. An injection occurs when an attacker can break out of the bounds of the input string, and be able to append to the back-end code. In SQL injections, we'd be appending SQL queries to change what queries the database is executing, while in Command Injections we'd be appending additional commands to be executed on the back-end server, which is much more critical and may lead to taking total control of the back-end server.

Once students finish the 'Command Injections' module, they may be interested in the 'Whitebox Pentesting 101: Command Injection', which teaches advanced methods of code and command injections, and thoroughly covers how we can inject code and commands in various types of web applications, and achieve code execution even under the most challenging circumstances.

Learn more with HTB Academy

HTB Academy is an interactive way to learn about a wide variety of cybersecurity topics and pursue different Job Paths. We have dozens of modules and we’re always adding more. Learn through your web browser and complete courses that demonstrate cyber skills that employers need. Take a look at what HTB Academy has to offer here.

Hack The Blog

The latest news and updates, direct from Hack The Box