Possibly Related Threads…

robinia · (This post was last modified: Dec 11, 2024, 07:47 AM by robinia.)

i tried with different php in image and with different payloads in exif data but still no progress. But we go on Smile

macavitysworld · Dec 12, 2024, 08:19 PM

(Dec 11, 2024, 07:45 AM)robinia Wrote: i tried with different php in image and with different payloads in exif data but still no progress. But we go on

i dont think php will work, you need payload in exifdata. focus on artist and title.

liruokemx · Dec 18, 2024, 08:12 AM

its about heap exploit
https://deepunk.icu/php-pwn/

mazafaka555 · Dec 18, 2024, 10:42 AM

didn't looked at this chall yet, but yeah. based on the points it is either heap exploit OR there's probably another way.
like leaking addresses from the stack -> then calc to the php base -> then 'dup2' to clone IO -> and finally php rop chain with execv() to pop a shell.

https://www.youtube.com/shorts/FbeaklEkMgM

x14gx · Dec 21, 2024, 05:24 PM

You can leak all the base addresses of all of the loaded libs by using the LFI vuln in the web site itself (view.php)... read /proc/self/maps. Decode from base64 the "image" response and parse the content. Get libc's base and metadata_reader.so's base.

Then metadata_reader.so is partial RELRO. So you can overwrite its GOT entries. Concentrate on _efree because it takes an argument. So if it points to system, you can use the argument as the value for system to execute, which btw, cannot be /bin/sh because this occurs entirely in the "server". There is no terminal to pop a shell from. The command for system should be a reverse shell call.

The problem is: So far this worked only locally. Not sure why not remotely.... >8|

x1rx · (This post was last modified: Dec 22, 2024, 02:27 PM by x1rx.)

you can read the flag without getting a reverse shell ,

robinia · (This post was last modified: Dec 22, 2024, 05:06 PM by robinia.)

(Dec 22, 2024, 02:25 PM)x1rx Wrote: you can read the flag without getting a reverse shell ,

how did you do that with the remote version ?

x14gx · Dec 22, 2024, 06:02 PM

(Dec 22, 2024, 02:25 PM)x1rx Wrote: you can read the flag without getting a reverse shell ,

Is overwriting a GOT entry the intended way?
I mean, once you get control of that and you can call system, you can do a lot of things.
But that works only locally and in the provided container. Unless the remote machine is different than the docker container (different libc for instance).... I really do not see any reason why it would fail. I am missing something.

Care to throw in a hint?

htb-bot · Dec 23, 2024, 12:00 AM

it's not very hard once you understand the problem)

root@a26a4sb89b9v:/app# cat uploads/output.txt

x14gx · Dec 25, 2024, 07:02 PM

(Dec 23, 2024, 12:00 AM)htb-bot Wrote: it's not very hard once you understand the problem)

root@a26a4sb89b9v:/app# cat uploads/output.txt

Nope. I have no idea what the problem is. This exploit should be working remotely as well....

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	103	9,934	1 hour ago Last Post: Idontknow1
	[FREE] CPTS 12 FLAGS	pulsebreaker	95	4,406	7 hours ago Last Post: tifa3389
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	394	98,569	Yesterday, 08:21 PM Last Post: wappze
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	31	3,040	Yesterday, 08:19 PM Last Post: wappze
	rev_dudidudida	cavour13	2	465	Yesterday, 06:29 PM Last Post: char0n1507