I was looking up information on .htaccess and .htpasswd when I came across a link that described how to leverage .htaccess for persistence with a backdoor.  It piqued my curiosity but after playing around with it for a few minutes, I couldn't get it to work.  I did some Googling and I still couldn't figure out whether or not the post had old information, was incorrect, or what.  But then after thinking about it, I realized, it was far too complicated for what we're really trying to accomplish. 

Odds are pretty good that someone is going to dig through their .htaccess file sooner than say some random .txt file that ends up in the webroot after install.  So let's go that route. 

The description states:  "This boot to root VM is designed for testing your pentesting skills and concepts. It consists of some well known things but it encourages you to use the functionalities rather than vulnerabilities of target."

Another box from my new favorite author.  What I like about this one is that you can get lost in the amount of avenues but if we focus on enumeration right from the start, all false avenues can be avoided.

We kick off with Nmap:

CVE-2020-1938

I'm rewording this somewhat:  "This vulnerability report identified a mechanism that allowed returning arbitrary files from anywhere in the web application."  You can read the full description from the link above. 

We run an Nmap scan and we find the following: