The web shell has been loaded into an inactive theme and is working with commands like “ls” and “id”. I am having a problem finding the flag.txt in the directory specified in the question: “Once you have access to the target, obtain the contents of the “flag.txt” file in the home directory for the “wp-user” directory.” My question is: 1.) can you Pipe or otherwise “string” commands together with curl? Just cannot seem to locate this flag and don’t know where to start looking. Using something like $home does not seem to help.
Nevermind found it 
For others: all you need is echo and the correct directory 
I’ve been trying to figure this one out but have been stuck for 2 days now -
Is the goal to use curl via cli and grab the contents of the /home/htb-###/flag.txt file or do you need to modify the php code in the 404.php file to execute the command?
I’ve googled how to use curl to get the contents of a file but nothings specific enough comes up.
Any hints would be grateful!
thanks
Can anyone poke me in the right direction? Having trouble to cat the flag too.
1 Like
Echo was a realy good Hint
Cat will work too. However dont forget to use the “code” for a space in a url.
Hint: it starts with a %
took me a while too, the issue most people have I guess is what follows after the cmd=“”.
i used cmd=cat+/
curl -X GET "http://<add_target_here>/wp-content/themes/twentyseventeen/404.php?cmd=cat+/home/wp-user/flag.txt"
1 Like