<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>File-Upload on appl3b0y</title>
    <link>https://appl3b0y.com/tags/file-upload/</link>
    <description>Recent content in File-Upload on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Mon, 08 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/tags/file-upload/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Soccer</title>
      <link>https://appl3b0y.com/writeups/soccer/</link>
      <pubDate>Mon, 08 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/soccer/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Soccer&lt;/strong&gt; is an easy Linux box that moves through three distinct users, and each hop teaches something different: a default-credentials web RCE, a SQL injection delivered over a &lt;strong&gt;WebSocket&lt;/strong&gt; (the part that makes this box memorable), and a &lt;code&gt;doas&lt;/code&gt;/&lt;code&gt;dstat&lt;/code&gt; plugin hijack for root.&lt;/p&gt;&#xA;&lt;p&gt;We start by finding a &lt;strong&gt;Tiny File Manager&lt;/strong&gt; install with the vendor&amp;rsquo;s default admin login, which gives an authenticated file upload and therefore a shell as &lt;code&gt;www-data&lt;/code&gt;. On the host, the nginx config points us to a second virtual host whose signup flow talks to a &lt;strong&gt;WebSocket on port 9091&lt;/strong&gt; (the odd port nmap could not fingerprint). That WebSocket takes a JSON &lt;code&gt;id&lt;/code&gt; straight into a query, so a blind SQL injection dumps the &lt;code&gt;player&lt;/code&gt; account&amp;rsquo;s password, which is reused for SSH. Finally, &lt;code&gt;player&lt;/code&gt; can run &lt;strong&gt;&lt;code&gt;dstat&lt;/code&gt; as root via &lt;code&gt;doas&lt;/code&gt;&lt;/strong&gt;, and &lt;code&gt;dstat&lt;/code&gt; loads Python plugins from a world-writable directory, so we drop a malicious plugin and it runs as root.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Help</title>
      <link>https://appl3b0y.com/writeups/help/</link>
      <pubDate>Thu, 04 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/help/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Help&lt;/strong&gt; is an easy Linux box, but it packs in more real-world lessons than most: a &lt;strong&gt;GraphQL&lt;/strong&gt; endpoint that leaks credentials through introspection, a &lt;strong&gt;HelpDeskZ 1.0.2&lt;/strong&gt; install with two known bugs whose public exploits are both broken (so you fix them yourself), a bit of &lt;strong&gt;password reuse&lt;/strong&gt;, and an old &lt;strong&gt;kernel&lt;/strong&gt; that falls to a public CVE.&lt;/p&gt;&#xA;&lt;p&gt;The path: port 3000 runs a Node/Express GraphQL API that all but invites you to query it, and doing so leaks an MD5 hash we crack. Those credentials log us into the HelpDeskZ ticketing app on port 80. HelpDeskZ 1.0.2 has both an authenticated &lt;strong&gt;SQL injection&lt;/strong&gt; and an &lt;strong&gt;arbitrary file upload&lt;/strong&gt;; the Exploit-DB PoCs for both fail on modern Python, so the real work is reading them and reproducing them manually. The SQLi dumps an admin password that is &lt;strong&gt;reused&lt;/strong&gt; for SSH as &lt;code&gt;help&lt;/code&gt;, and the file upload gives a shell directly. Either way we land as &lt;code&gt;help&lt;/code&gt;, and the ancient &lt;strong&gt;4.4.0-116&lt;/strong&gt; kernel gives up root to &lt;strong&gt;CVE-2017-16995&lt;/strong&gt;.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
