dev.cmess.htb. This domain hosts a static page that leaks CMS admin panel credential. In the admin panel, there is an upload form where we can upload
php-reverse-shell.phpand catch a reverse shell as www-data.
/adminhas a login form, but we don't know the credential yet:
http://dev.cmess.thmhas a development log. Through the convention between Andre and the support, we can learn his credential
php-reverse-shell.php. It turns out that the uploaded files are stored in
http://cmess.thm/assets/php-reverse-shell.phpand catch a reverse shell as
andre:UQfsdCB7aAP6and now we get a user shell: