@Jordo said:
First day, first attempt at a box. Only mildly discouraged by everyone saying how easy this is :neutral:
I supposedly have RCE access via a php exploit I found, but not sure where to go from here. I can’t change directories, I can’t upload anything, and there’s nothing to run, but I am definitely in a file system as a user.
The exploit has tricked you a little bit by giving you what looks like a functional shell. You actually have a browser based RCE. Read the code of the exploit carefully and you can see the step the author got wrong in their instructions as well. Armed with this information you can build it to a real “shell” on the box.