Stager

Objective / Scope

You are a member of the Hack Smarter Red Team and have been assigned to perform a black-box penetration test against a client's critical infrastructure. The scope is strictly limited to the following hostnames:

• web.hacksmarter: Public-facing Windows Web Server (Initial Access Point). Windows Defender is enabled.

• sqlsrv.hacksmarter: Internal Linux MySQL Database Server.

The exercise is considered complete upon successfully retrieval the Root Flag from sqlsrv.hacksmarter

Any activity outside of these two hosts or their associated network interfaces is strictly prohibited.

Lab Starting Point

During the beginning of the engagement, another operator exploited a file upload vulnerability, and they have provided you with a web shell.

` http://web.hacksmarter/hacksmarter/shell.php?cmd=whoami`

---