/internalwhich has an upload form. The upload form filters
.phpextension, but Burp Intruder finds that
phtmlbypasses the filter. Here we rename
php-reverse-shell.phtmland get a www-data shell.
/bin/systemctlis SUID. Using an arbitrary file read payload on GTFOBins, we are able to read
root.txtwithout getting a root shell.
php-reverse-shell.phphere. However, this file is not present in the
.phpfile extension is blocked. Brute-force valid file extensions using Burpsuite Intruder. Remember turn off "URL-encode these characters":
php-reverse-shell.phtmland upload again. This time the file is successfully uploaded:
systemctl. Change the payload to
cat /root/root.txt > /tmp/output: