Failed Coding Assessment to Remote Code Execution - Part 1
Security is mostly a superstition. It does not exist in nature.
Hi there, Today I am going to explain how I found a vulnerability in a very famous coding platform let’s say REDACTED.com, and how I escalated the same to Remote Code Execution.
After solving 2 problems for my Online Assessment test, I was completely stuck and was unable to pass 2 test cases for the third problem, tried for 30 minutes and still, no progress had 40 minutes still left, not able to figure out what can be done. I was sure, have screwed up in it so I started thinking in terms of test cases, instead of my code.
This lead me to think about what are these test cases, let’s try finding out.
I was coding in C-Plus-Plus in the same platform IDE and to see if a command runs I tried to run a simple system("ls") instruction, which runs a command to list files and give the output on standard output.
Executing the above code returned me output, listing all the files, but it only contained input source code and its executable no input test cases file was there.
which further made me think, what if instead of ls I could see the input I am getting while running the test. but it couldn’t happen as I/O were hidden for these test cases, hmmmmm.
And after thinking for a minute, came up with an idea.
What if I could send the input variable data as a payload to some server while executing code which will be hosted by me?
I immediately started a TCP server (using netcat) on some random port and exposed the same using ngrok (temporary global domain name utility for a local port). Tried changing the system command from ls toping https://<random>.ngrok.io and executed it.
And Boom! I was able to see a request from the REDACTED.com’s server on my very basic TCP server.
I simply changed the code to the below, as each test case had 4 inputs:
Thanks to this StackOverflow answer for helping me pass variables data in the system command.
Finally, I was able to get those two input test cases on my local server with a POST request upon execution 😄.
But
As this blog is getting long let’s end it here, but the story doesn’t end here, this is still pending how I escalated this to gaining a root shell in the server and getting complete access to AWS & Firebase tokens.
Stay Curious!
References:
