Zipper

Nmap output

We have a file to zip service on port 80

When we click on Home button we see a file parameter where if we parsed the php://filter/convert.base64-encode/resource=home php b64 wrapper we get code of home in base64. which indicates we can utilize php wrapper

We got source code of upload using the same method & it shows it taking creating a zip and with file we uploaded in it

We uploaded a shell.php and we got http://192.168.239.229/uploads/upload_1761374058.zip this download link

We used zip php wrapper to gain command execution from the uploaded shell inside the zip

Used it to gain reverse shell

We got local.txt (5a87c73bd51583c4f543ca19b16e58d3)

We have /opt/backup.sh running as root

We have this code running as root

So It’s going to /var/www/html/uploads and removing all the tmp files. Then it’s zipping /opt/backups/backup.zip with password which is /root/secret and all the zip file in /var/www/html/uploads is stored in backup.zip. And the output of the script running is saved to /opt/backups/backup.log

There’s enox.zip file which is symlink to /root/secret

So when we see the backup.log we see WildCardsGoingWild as it has proccessed the symlink and got data from it

Used the secret as password for root & got root

Got proof.txt (c166be268a1df5f37a42da3a3a89683f)