/internal
which has an upload form. The upload form filters .php
extension, but Burp Intruder finds that phtml
bypasses the filter. Here we rename php-reverse-shell.php
to php-reverse-shell.phtml
and get a www-data shell./bin/systemctl
is SUID. Using an arbitrary file read payload on GTFOBins, we are able to read root.txt
without getting a root shell./internal
:/internal
:php-reverse-shell.php
here. However, this file is not present in the /internal/uploads
directory:.php
file extension is blocked. Brute-force valid file extensions using Burpsuite Intruder. Remember turn off "URL-encode these characters":.phtml
:php-reverse-shell.phtml
and upload again. This time the file is successfully uploaded:www-data
:/bin/systemctl
/bin/systemctl
is SUID:systemctl
. Change the payload to cat /root/root.txt > /tmp/output
:root.txt
: