Ensure we can work on labs (VPN connection) and setup simple reverse shell along with pwncat-cs shells
Pitfalls to avoid
Installing pwncat was difficult, as "pip install" command failed; hence why relying on "python3 -m pip" instead
Always create a dedicated folder for the lab
Always remember to take screenshots along the lab/CTF/pentest/bounty hunt so you don't need to go over all the process again for the report
The lab details
I'll make a very succinct "lessons learned" (not really a detailed writeup) on this lab,
showing each main step while trying not to be uselessly verbose,
focusing only on important options or tricks that I missed (and so may you).
I took the opportunity to try pwncat-cs for this
It is always good to create a dedicated folder for a lab, a CTF or a pentest.
For this one, I've put all the notes, screenshots, payloads, etc into
Always make screenshots at every stage of your attack, from the very start.
This will make it way easier for you to write down your report, being a lab, a CTF or an actual pro pentest.
You may move the screenshots to the dedicated folder you've created once your mission is accomplished
(flag taken or pentest done).
Here, it wasn't used, but /robots.txt must never be forgotten.
The potential attack vector
Don't forget even weird PHP extensions like php3;php4;php5;phtml
Exploit with a reverse Shell
It's time to turn from www-data user to root user
Note that the root user may be named admin or sysadmin
The services are arbitrary commands.
If you have the rights (through the lab/CTF's interface) to start arbitrary defined services,
then you have a RCE (Remote Code Execution) and probably a remote shell
It seems the service file must be named .service,
hence the mv command
The nc utility is a very rough reverse shell (no tab completion, no up/left arrows,...)
so you may rely on
instead, which will have nice completion and history features
When uploading a file using a reverse shell, ensure you are allowed to write
to the destination directory (here, www-data cannot write to bill's