File Qfuhzzxf — Https- Ranoz.gg
Next, we tried to locate the raw file through :
$ pngcheck -v QfUhZZXf Output (truncated for brevity):
$ gobuster dir -u https://ranoz.gg/ -w /usr/share/wordlists/dirb/common.txt -x .bak,.old,.php~ -t 50 Result: download.php.bak returned a 2 kB file. <?php // Simple file downloader – DO NOT expose to the public! $allowed = ['QfUhZZXf', 'public.txt', 'welcome.html']; if (isset($_GET['file'])) $file = basename($_GET['file']); if (in_array($file, $allowed)) $path = __DIR__ . "/files/" . $file; if (file_exists($path)) header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="'.$file.'"'); readfile($path); exit; https- ranoz.gg file QfUhZZXf
PNG file: QfUhZZXf (640x480) Chunk tEXt (keyword=Comment, text=...) Chunk iTXt (keyword=secret, compression=deflate, text=...) The iTXt chunk named contains a compressed blob. Extract it with exiftool :
$ exiftool -iTXt:secret QfUhZZXf > secret_compressed.bin $ file secret_compressed.bin secret_compressed.bin: zlib compressed data Next, we tried to locate the raw file
Run binwalk and strings for deeper insight:
$ 7z l secret_payload ... 0 0 0 0 0 -rw-r--r-- 0 0 secret.txt Extract: "/files/"
$ binwalk QfUhZZXf 0 0x0 PNG image, 640 x 480, 8-bit/color RGBA, non-interlaced A PNG header at offset 0! Let’s verify:
$ curl "https://ranoz.gg/download.php?file=download.php%3fsource" No luck.
Next, we tried to locate the raw file through :
$ pngcheck -v QfUhZZXf Output (truncated for brevity):
$ gobuster dir -u https://ranoz.gg/ -w /usr/share/wordlists/dirb/common.txt -x .bak,.old,.php~ -t 50 Result: download.php.bak returned a 2 kB file. <?php // Simple file downloader – DO NOT expose to the public! $allowed = ['QfUhZZXf', 'public.txt', 'welcome.html']; if (isset($_GET['file'])) $file = basename($_GET['file']); if (in_array($file, $allowed)) $path = __DIR__ . "/files/" . $file; if (file_exists($path)) header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="'.$file.'"'); readfile($path); exit;
PNG file: QfUhZZXf (640x480) Chunk tEXt (keyword=Comment, text=...) Chunk iTXt (keyword=secret, compression=deflate, text=...) The iTXt chunk named contains a compressed blob. Extract it with exiftool :
$ exiftool -iTXt:secret QfUhZZXf > secret_compressed.bin $ file secret_compressed.bin secret_compressed.bin: zlib compressed data
Run binwalk and strings for deeper insight:
$ 7z l secret_payload ... 0 0 0 0 0 -rw-r--r-- 0 0 secret.txt Extract:
$ binwalk QfUhZZXf 0 0x0 PNG image, 640 x 480, 8-bit/color RGBA, non-interlaced A PNG header at offset 0! Let’s verify:
$ curl "https://ranoz.gg/download.php?file=download.php%3fsource" No luck.