During a rutine malware cleanup a file named hax.html caught my attention.
On the outside the file was a simple “you’re hacked page” that looked like this:
![407 Authentic Exploit Shell 407 Authentic Exploit Shell](https://i0.wp.com/pcx3.com/wp-content/uploads/2021/02/hax-403.png?resize=736%2C397&ssl=1)
But with a POST method sent to it a nice little web shell opens up:
![407 Authentic Exploit Shell 407 Authentic Exploit Shell](https://i0.wp.com/pcx3.com/wp-content/uploads/2021/02/68747470733a2f2f692e6962622e636f2f677477397a68392f53637265656e73686f742d323031392d30372d32382d30302d34352d34322d3832362d636f6d2d616e64726f69642d6368726f6d652e6a7067.jpeg?resize=562%2C1024&ssl=1)
default password for this shell is: myshell
Source: github