[2xfa]

Thank you

[facelesshacker]

Yes, How am i get 8 credit? need write a post or buy the credit?

[Alnea]

This method not working anymore or am i stupid ? i literally tried every thing

[LeonardoBarbosa]

This method not working anymore or am i stupid ? i literally tried every thing

realmente não funciona mais, integraram um patch na maquina que faz a verificação correta do arquivo php, não que essa vulnerabilidade não funcione mais, só não ta subindo shell.

[Alnea]

What's the new method ?

[2341]

doesn't work for me... get's stuck at triggering revshell

For some reason obscure to me, the content of the post containing the autopwn script is litterally invisible, I'll repost and hopefully this time it won't disappear...

The programming style is very simple to read as it follows the principle of single responsibility functions, I've also included some prints to make the whole process more understandable.
The only external dependency required is pwntools which is pretty common so it shouldn't be a problem.

Here's a demo

python auto_pwn.py
[+] Revshell payload written at [...]
[...]
Uploading zip file...
[+] Successfully uploaded zip file, revshell available at [...]
[+] Got revshell as rektsu!
Creating shared object...
[+] Source code for shared object written at [...]
[+] Shared object compiled, written at [...]
Uploading shared object via base64...
Exploiting the binary...
[+] Successfully got root!
root@zipping# id
uid=0(root) gid=0(root) groups=0(root)
root@zipping# ls -la
total 12
drwxr-xr-x 2 rektsu rektsu 4096 Aug 28 08:26 .
drwxrwxr-x 3 root  rektsu 4096 Aug 28 08:26 ..
-rw-r--r-- 1 rektsu rektsu  117 Aug 28 08:26 [...]
root@zipping#

Note that [...] only means that the content was censored, it doesn't actually print that.

Without further ado, here's the autopwn script!

[RadonMars]

For some reason obscure to me, the content of the post containing the autopwn script is litterally invisible, I'll repost and hopefully this time it won't disappear...

The programming style is very simple to read as it follows the principle of single responsibility functions, I've also included some prints to make the whole process more understandable.
The only external dependency required is pwntools which is pretty common so it shouldn't be a problem.

Here's a demo

python auto_pwn.py
[+] Revshell payload written at [...]
[...]
Uploading zip file...
[+] Successfully uploaded zip file, revshell available at [...]
[+] Got revshell as rektsu!
Creating shared object...
[+] Source code for shared object written at [...]
[+] Shared object compiled, written at [...]
Uploading shared object via base64...
Exploiting the binary...
[+] Successfully got root!
root@zipping# id
uid=0(root) gid=0(root) groups=0(root)
root@zipping# ls -la
total 12
drwxr-xr-x 2 rektsu rektsu 4096 Aug 28 08:26 .
drwxrwxr-x 3 root  rektsu 4096 Aug 28 08:26 ..
-rw-r--r-- 1 rektsu rektsu  117 Aug 28 08:26 [...]
root@zipping#

Note that [...] only means that the content was censored, it doesn't actually print that.

Without further ado, here's the autopwn script!

Just what I was looking for

[hcker01]

hello I published a writeup just finished the box
https://medium.com/@motii.anas/htb-zippi...3fb4feab31

[Z43L]

thanks for sharing

[h4cker]

Thanks bro