Now, let’s talk about the MyWhois challenge. This approach is made for full beginners who never exploited command injections before.

This one took place in a simple web app as the following screen capture shows :

Playing the game of good user

Let’s try to use this app as a normal user would do :

I know that this output is typically a ‘whois’ linux command output. What we may try now is to execute our own command. In fact, if the server executes the whois command and doesn’t check + sanitize the input, we can do a command injection.

Command injections : theory

In linux shells, we can execute 2 commands in a single line with aggregators. Aggregators allow us to concatenate commands. The 3 most-used aggregators are :

• | : The ‘pipe’ which takes the input of the first command and passes it to the second one
• && : The double ‘and’ symbol which executes the first command then the next one
• ; : The semicolon that does the same thing that the double ‘and’ symbol

The pipe doesn’t interest us because we want to execute our own function, not to use the output from whois.

Then we have ‘&&’ and ‘;’. I prefer ‘;’ because it’s shorter but sometimes ‘&&’ is required if the sanitizer removes semi-colons from command inputs.

Now, let’s practice !

Now we know that, let’s start with a simple command : printing ‘Hello, World !’.

As we can see, no filtering function is used on this web app.

And here it is ! Our command is executed successfully.

Little tip : Not to have to deal with whois results, we can directly type our aggregator without any argument for whois. Example :

Let’s list the directory’s content :

Getting the flag 😃

Let’s check for the index.php file’s content :

At the first glance, nothing. But let’s check the page source to be sure…

Thus, the MyWhois flag is FCSC{2e3405155d63a7d82f215d17232ea102314509ecbe90d605cf8be26f4639153b}