okay, now that I’ve gotten root, I can ■■■■■ and moan about how dumb the “fix” to this box is:
HA! it’s not only me! I got user a week ago and now i can’t get in…
Do you know the way in now?
They should have added it to the CHANGELOG…
Hello guys,
I found the code that have the intended way, put I don’t know how to get around the thing prevent me from exploiting the vulnerability any help please ?
Thank you all
Feel free to PM me if you want and we can talk about it. I didnt pwned the machine in the “intended way” but im interested.
I am getting confused on some of the wording here. I was working on this machine with I guess the unintended vector as I was able to get a file bypass and get the “PDF” to get dropped on the system. Now I know that you can’t get a non-pdf file to open anymore with the 404 error I am not sure where to go from here. I do know that the files that are actually marked with a PDF extension open just fine. Maybe that is the vector but I am really not sure. Can you maybe reword your first few steps. Thanks
the PDF vector to visualize OS files is still valid, just the change affect R*E vector
HTB complicate things, is simple like just say, a change that affect the user intended way was made and not say nothing until machine has been pnwed
Can anyone give me a hint on how to get a shell via the intended way? I had a shell working with the php upload but now it does not work anymore with the fix… Thx
I’m still stuck at the foothold any help please ?
Hello all,
I found two files that have the injection but I still can’t bypass the filter, any help please ?
Finally owned! After 4 days of efforts. Feel free to contact if you are stuck
Hi, I need help with foothole. I’m unable to upload my file on the server.
I’ve made a zip file with a php file in it with the extention phpD.pdf like in the https://book.hacktricks.xyz/ but my file never gets there and
I have no error message. Without the double extention, the file upload without problem
Hello inoaq,
DM, I just finished with difficulty the intended part for user.
Hi gargamel
I have just sent DM to you. Could you help me ?
Could someone give me some hints for zipping ?
I found zip vuln to see /etc/passwd or upload.php and so on but I get stuck to get RCE.
I tried to bypass pdf extention but failed to. I found changelog said “Added additional checks to the PHP application to prevent an unintended RCE via PHP webshell upload with null-byte injection.” so I think that I have to read some php file in detail…
I am having trouble getting the initial foothold, I seem to go down a rabbit hole for the old method, but unsure how to move forward with the new patch. I am assuming it’s probably something staring me in the face… Any help is appreciated.
I finally found the foothole. Forget about the upload There is another way before that. If you need more hint, PM me!
Hi,
After exploiting the zip I was able to find the source code of .php however I can’t seem to inject at the id product in hacktricks sending url encoded newline does not work for me
Need a little push thanks!
help me bro.
Is sqli a right path?
I found sqli vector and enumerated the database, but I didn’t find anything interesting.