this is writup for RootMe CTF from tryhackme
- we start by scanning the target ip addrr by
nmap
we can see that we have 2 open port 80-http and 20-ssh
next we have to find What version of Apache is running?
we can access the server interface throw the web and write a wrong and a random directory likehttp://10.10.253.225/anything
and we can see the version of the Apachewe saw befor in the Q-1 withe nmap scanning is running ssh on port 22
we can now use gobuster to Find directories
gobuster dir -u http://-w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt +x html,php,txt
we can see that we have a find
/panel/
- witch is the secret directory
- user flag:
we need first to visit the secret directory /panel/
can se that we have a file input that we can upload files to
it using what known by Unrestricted File Upload to get an RCE
i asked chat gpt for the PHP web shell file
" . shell_exec($cmd) . "
