Skip to content

Payday 🔸

Enumeration

The web page is

Initial Access

We can log in with admin:admin

Using feroxbuster we discover /admin and using admin admin we are inside.

Go to template editor and upload a php reverse shell with pthlml as seen in

Once upload go to http://[victim]/skins/shell.phtml after setting a reverse shell

Privilege Escalation

Get local.txt

enumerating users we see patrick and testing patrick with pass patrick

And patrick has all privileges

Post Exploitation

Get the flag