Figment - Free GOG Game This giveaway is on gog.com gog is a platform for games that is dedicated to drm-free games (those are games that do not require login or registration to play the game)
The last stand against Calus--who became the latest disciple of The Witness at the end of Season of the Haunted--and a "pivotal" moment for the Destiny franchise as it heads to the end of the Light and Darkness saga. Lightfall takes place in a new city on Neptune, Neomuna, which has a pristine and retro-futuristic design. As for the fifth subclass that was briefly seen, this new Darkness power is called Strand and allows for new traversal methods in Neomuna. The city is inhabited by a new race known as Cloudstriders, who managed to escape The Collapse of the solar system and remain hidden from the Darkness. With The Witness having discovered the city, it has come under siege from Calus, the Shadow Legion, and gigantic Pyramid Demons that can use a scythe to attack from a distance and drain your life-force.
Highlight: intercepting and modifying a web request using burpsuite
Tools used: base64, burpsuite
Tags: docker, directory traversal
BACKGROUND
In this tutorial, we will walk a simple website showing pictures of dogs and cats.
We’ll discover a directory traversal vulnerability that we can leverage to view sensitive files on the target machine.
At the end of this challenge, we will break out of a docker container in order to capture the 4th and final flag.
ENUMERATION/RECON
export target=10.10.148.135
Export myIP=10.6.2.23
Let’s walk the site.
It looks like a simple image-viewing site that can randomize images of dogs and cats. After toying around with the browser addresses, we find that directory traversal allows us to view other files.
Let’s see if we can grab the HTML code that processes our parameters in the browser address. This will help us understand what is happening on the backend.
We’ll use a simple PHP filter to convert the contents to base64 and output the raw base64 string.
Let’s save this string as a file named “string”. Then we can use the command “cat string | base64 -d” to decrypt this string and view it as raw HTML code.
Reading over this HTML code, we can see that the file extension can be set!
If the user doesn’t specify the extension, the default will be .php. This means that we can add “&ext=” to the end of our web address to avoid the .php extension from being added.
In order for it to properly display our request, we need to include the word “dog” or “cat” in the address.
Let’s dive in with burpsuite and start intercepting and modifying requests.
Here is our order of steps for us to get our initial foothold on the target machine:
Create a PHP reverse shell
Start up our netcat listener
Use burp to intercept and modify the web request. Wait until later to click “forward”.
Spin up a simple HTTP server with Python in the same directory as the PHP revshell.
Click “forward” on burp to send the web request.
Activate the shell by entering: $targetIP/bshell.php in the browser address
Catch the revshell on netcat!
STEP 1
Let’s create a PHP pentest monkey revshell.
STEP 2
Let’s first start up a netcat listener on port 2222.
nc -lnvp 2222
STEP 3
Intercept the web request for the Apache2 log and modify the User-Agent field with a PHP code to request the shell.php code and rename it bshell.php on the target machine.
This will work only because upon examining the Apache2 logs, we noticed that the User-Agent field is unencoded and vulnerable to command injection. Make sure to wait to click forward until step 5.
STEP 4
We’ll spin up a simple python HTTP server in the same directory as our revshell to serve shell.php to our target machine via the modified web request we created in burpsuite.
STEP 5
Click forward on burp and check to see if code 200 came through for shell.php on the HTTP server.
STEP 6
We can activate the shell from our browser now and hopefully catch it as a revshell on our netcat listener.
STEP 7
We successfully caught it! Now we are in with our initial foothold!
INITIAL FOOTHOLD
LOCATE THE FIRST FLAG
Let’s grab the first flag. We can grab it from our browser again in base64, or via the command line from the revshell.
Let’s check out our sudo permissions with the command:
sudo -l
Matching Defaults entries for www-data on 26e23794a52b: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on 26e23794a52b: (root) NOPASSWD: /usr/bin/env
EXPLOIT/PRIVILEGE ESCALATION
Because we have sudo permissions without a password to run the env bin, we can easily become root with the command:
$ sudo env /bin/bash
Now we can verify that we are root with the command whoami.
GRAB THE THIRD FLAG
cd /root
ls
flag3.txt
cat flag3.txt
THM{D1—------------ommitted—-------12}
POST-EXPLOITATION – BREAK OUT OF THE DOCKER CONTAINER
Let’s start up a new listener to catch the new bash shell outside of the container.
nc -lnvp 3333
We notice that there is a backup.sh that regularly runs on a schedule via cronjobs. We can hijack this file which is run by root outside of the docker container, by changing the contents to throw a revshell.
This box was a lot of fun. The bulk of the challenge was working towards gaining the initial foothold.
Once we secured a revshell, the rest of the box went pretty quickly.
The final step of breaking out of a docker container with a second revshell was the sneakiest part for me.
The PHP directory traversal and using a php filter to encode with base64 was also a cool way to evade the data sanitation measures in place on the backend.
FREE SKI..ID, Let's Go Bundle, Konami & Ubisoft Deals
SKIID Freebie
[freebies.indiegala.com]
Let's Go Bundle | 8 Steam Games | 91% OFF
[www.indiegala.com] New month, new bundle, new games..., the weekend's here, let's goooooooo! Grab the newest selection of indie Steam games brought by the Let's Go Bundle.
Wo Long: Fallen Dynasty follows the dramatic, action-packed story of a nameless militia soldier fighting for survival in a dark fantasy version of the Later Han Dynasty where demons plague the Three Kingdoms. Players fight off deadly creatures and enemy soldiers using swordplay based on the Chinese martial arts, attempting to overcome the odds by awakening the true power from within.
Posted by: xSicKxBot - 03-05-2023, 08:32 AM - Forum: Python
- No Replies
5 Easy Ways to Edit a Text File From Command Line (Windows)
5/5 – (1 vote)
Problem Formulation
Given is a text file, say my_file.txt. How to modify its content in your Windows command line working directory?
I’ll start with the most direct method to solve this problem in 90% of cases and give a more “pure” in-terminal method afterward.
Method 1: Using Notepad
The easiest way to edit a text file in the command line (CMD) on your Windows machine is to run the command notepad.exe my_text_file.txt, or simply notepad my_text_file.txt, in your cmd to open the text file with the visual editor Notepad.
notepad.exe my_file.txt
You can also skip the .exe prefix in most cases:
notepad my_text_file.txt
Now, you may ask:
Is Notepad preinstalled in any Windows installation? The answer is: yes! Notepad is a generic text editor to create, open, and read plaintext files and it’s included with all Windows versions.
Here’s how that looks on my Win 10 machine:
When I type in the command notepad.exe my_text_file.txt, CMD starts the Notepad visual editor in a new window.
I can then edit the file and hit CTRL + S to save the new contents.
But what if you cannot open a text editor—e.g. if you’re logged into a remote server via SSH?
Method 2: Pure CMD Approach
If you cannot open Notepad or other visual editors for some reason, a simple way to overwrite a text file with built-in Windows command line tools is the following:
Run the command echo 'your new content' > my_file.txt to print the new content using echo and pipe the output into the text file my_text_file.txt using >.
Check the new content using the command type my_text_file.txt.
Here’s what this looks like on my Windows machine, where I changed my_file.txt to contain the text 'hello world!':
This is a simple and straightforward approach to small changes. However, if you have a large file and you just want to edit some minor details, this is not the best way.
Method 3: Change File Purely In CMD (Copy Con)
If you need a full-fledged solution to edit potentially large files in your Windows CMD, use this method!
To create a new file in Windows command prompt, enter copy con followed by the target file name (copy con my_file.txt). Then enter the text you want to put in the file. To end and save the file, press Ctrl+Z then Enter or F6 then Enter.
copy con my_file.txt
How this looks on my Win machine:
A couple of notes:
Info: To edit an existing file, display the text by using the type command followed by the file name. Then copy and paste the text into the copy con command to make changes. Be careful not to make any typos, or you’ll have to start over again. Backspace works if you catch the mistake before pressing Enter. Note that this method may not work in PowerShell or other command line interfaces that don’t support this feature.
Method 4: If you SSH’d to a Unix Machine
Of course, if you have logged in a Unix-based machine, you don’t need to install any editor because it comes with powerful integrated editors such as vim or emacs.
One of the following three commands should open your file in a terminal-based editing mode:
vim my_text_file.txt
vi my_text_file.txt
emacs my_text_file.txt
To edit a file.txt in the command line, use the command notepad file.txt to open a graphical editor on Windows.
If you need a simple file edit in your terminal without a graphical editor and without installation, you can use the command echo 'new content' > file.txt that overwrites the old content in file.txt with new content.
If you need a more direct in-CMD text editor run copy con file.txt to open the file in editing mode.
If you’re SSH’d into a Unix machine, running the Vim console-based editor may be the best idea. Use vim file.txt or vi file.txt to open it.