/internal is a page where we can upload an image and through /images we can view it.


Now we can not upload a php reverse shell due to it’s extension is not allowed so we can make wordlist of possible php extension to by pass blacklist

.phtml is the only extension that is accepted so we are going to change our reverse shell's extension and then upload and set a net cat listener on our terminal

And access the reverse shell on the web server

Stabilize Shell

First get a bash with python -c 'import pty; pty.spawn("/bin/bash")' Then

  1. ctrl+z
  2. stty raw -echo
  3. type fg and press enter x2.

You will get a stabilize shell with auto tab complete and then export TERM=xterm for using clear command.

Privilege Escalation

Now we have to find a file which has SUID means which can set SUID permissions so we can issue a command to find these files

find / -perm /4000

And we will find sytemctl which can set SUID

Now search for systemctl on GTFOBINS and slightly modifying the command chmod +s /bin/bash it will set SUID on bash to run as root

Now run the command bash-p You will be root.



Smol Pentester | CTF Player | UwU

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store