LLM command executor prompt injection to root file read
Foundations AI engagement: nc to AI Command Executor on 1337; natural-language prompts generated sudo/root shell commands that listed and read /root/flag.txt.
- Case files
- LLM command executor prompt injection to root file read
Unsandboxed LLM-to-shell bridge ran as root. Prompted enumeration of /root and cat of flag.txt via generated commands the operator confirmed.
nc session; prompts generated sudo whoami, ls /root, cat flag.txt.
Engagement summary
Unsandboxed LLM-to-shell bridge ran as root. Prompted enumeration of /root and cat of flag.txt via generated commands the operator confirmed.
EVIL-GPT exposed an “AI Command Executor” on TCP 1337. Natural-language requests were translated into Linux commands and executed after a y confirmation. Asking whether the agent was admin produced sudo whoami → root. Asking how many files were in /root produced ls -la /root including flag.txt. Asking to show flag.txt contents produced cat /root/flag.txt and the secret. No sandbox, no allowlist, root privileges.
Business impact
LLM agents with shell access are remote operators. Prompt injection becomes RCE. Never bind models to privileged shells; use tool allowlists, human approval for destructive actions, and non-root sandboxes with no secret filesystem mounts.
Prompt-driven root enumeration and read
nc session; prompts generated sudo whoami, ls /root, cat flag.txt.
OPERATOR · LLM
savvy@lab:~$ nc 10.10.24.64 1337
Welcome to AI Command Executor
Enter your command request: are you admin of this system?
Generated: sudo whoami → root
Enter your command request: list files in /root
Generated: ls -la /root → flag.txt
Enter your command request: show contents of /root/flag.txt
Generated: cat /root/flag.txt → THM{AI_HACK_THE_FUTURE}
Remediation
Separate planning from execution; require policy engine approval; deny raw shell tools; mount secrets read-only only to dedicated services — never to chat agents.