> For the complete documentation index, see [llms.txt](https://lyethar.gitbook.io/slort/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lyethar.gitbook.io/slort/exploitation.md). # Exploitation I started playing with the "page" parameter of the website and used LFISuite to try different file paths to see whether it was actually vulnerable to Local File Inclusion. ![](/files/wUkhJsGcJgA9jh5dz00E) As you can see I was able to read read the access logs for the webserver. These probably all my requests going out lol. My favorite tool to use for Local File Inclusion is kadimus. The tool kadimus performs different checks to test whether the application is vulnerable to different RCE methods. ![](/files/vLeyZUmF0vkCNp8E0yip) The application is vulnerable to php\://input Remote Code Execution. To test this out I will make the application output something random. ![I made the machine output "pwned"](/files/BDCnS97nipuwApVdkrvO) We can take this further to perform arbitrary commands and machinate a reverse shell. ![](/files/COW1Mjr6O2mH0YgFWOh0) First I wanted to make sure what the arch of the system was in order to generate a reverse shell in MSFVENOM and then download it and execute it on the system. ![](/files/xcvEFFZeVBVkonvK86iJ) Started a python web server on port 443. ![](/files/pmRBNHz39f3hyM5L0uTv) ![](/files/YbsHqMDIdtjjI49BvrF1) We see that we were able to download the reverse shell onto the machine, all there was to do is just execute it while my multi handler on Metasploit was listening. ![](/files/TfFDPSc7fi6yf6GttoIj) And boom. Reverse shell. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lyethar.gitbook.io/slort/exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.