Zipper
Nmap output
We have a file to zip service on port 80
When we click on Home button we see a file parameter where if we parsed the php://filter/convert.base64-encode/resource=home php b64 wrapper we get code of home in base64. which indicates we can utilize php wrapper
We got source code of upload using the same method & it shows it taking creating a zip and with file we uploaded in it
We uploaded a shell.php and we got http://192.168.239.229/uploads/upload_1761374058.zip this download link
We used zip php wrapper to gain command execution from the uploaded shell inside the zip
Used it to gain reverse shell
We got local.txt (5a87c73bd51583c4f543ca19b16e58d3)
We have /opt/backup.sh running as root
We have this code running as root
So It’s going to /var/www/html/uploads and removing all the tmp files. Then it’s zipping /opt/backups/backup.zip with password which is /root/secret and all the zip file in /var/www/html/uploads is stored in backup.zip. And the output of the script running is saved to /opt/backups/backup.log
There’s enox.zip file which is symlink to /root/secret
So when we see the backup.log we see WildCardsGoingWild as it has proccessed the symlink and got data from it
Used the secret as password for root & got root
Got proof.txt (c166be268a1df5f37a42da3a3a89683f)












