PwnKata
Start drilling free
Home Web Exploitation OS Command Injection
medium Live now Web

OS Command Injection

Find where user input reaches a shell, then pick a payload form that survives the filter and response style.

Use shell separators, pipes, command substitution, or blind output redirection depending on how the vulnerable endpoint handles input.

Each variant changes the parameter and filter, so you practice adapting the injection instead of repeating one separator.

How the attack works

  1. Find a parameter whose value looks like it feeds a shell command (ping, lookup, convert). host=127.0.0.1
  2. Break out of the command with a shell separator and run your own. 127.0.0.1; id
  3. If separators are filtered, try a pipe, AND, or command substitution. 127.0.0.1 | id # or $(id)
  4. No visible output? Confirm blind execution with a timing probe, then exfiltrate. 127.0.0.1; sleep 5

On PwnKata the binary, account, and paths change every rep — so you drill the recognition, not this exact command.

What you'll practice

command injectionweb exploitationOSCPCPTS

Sourced from

drill workspace · session live
medium

OS Command Injection

Find where user input reaches a shell, then pick a payload form that survives the filter and response style.

Objective

Recover the flag at /root/flag.txt and submit it.

Drill this now

Spin up a live isolated target and start practicing in seconds — free.

Start drilling

Related web exploitation techniques

Web Live

SQL Injection: Auth Bypass

Drill authentication-bypass SQL injection by matching the payload to the query context.

easy
Web Live

SSRF via URL Parameter

Make the server fetch what it shouldn't. Internal targets are simulated safely inside the drill.

medium
Web Live

Web Content Discovery

Web Content Discovery distilled into repeatable single-technique reps on isolated targets.

easy