• netdiscover
  • Nmap
  • Nikto
  • Wfuzz
  • Netcat

Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

Only port 80 is opening.

Use Wfuzz to scan

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

use nikto to scan

nikto -h

looks like there is a php include vulnerability

Lets confirm it:

(the reason why add %00 after /etc/passwd is php code will ad a suffix .php, so that we have to add a Null byte to get rid of it)

I tried to exploit remote file inclide:

Doesn’t work.

Exam the webpage, I find that I can upload pdf file to the server. I tried just rename webshell.txt to webshell.pdf and the server doesn’t accpet it. I guess the server will valid the pdf file format. So I create a craft pdf file:


Upload it. Works.

Now try to visit after log in.

Try to verify the webshell:

looks good

set up netcat listener on my kali and run the command on server:

and get the shell: