# eXtplorer eXtplorer is a PHP file manager often found under `/filemanager/`. If you already have a web shell, check the web root for it because its local user database can expose reusable credentials. ## Discovery ```bash feroxbuster -u http://TARGET -x php,txt,html ``` Common paths: ``` /filemanager/ /filemanager/index.php /filemanager/config/.htusers.php ``` Version and install clues are often in: ``` /filemanager/README.txt /filemanager/CHANGELOG.txt /filemanager/extplorer.xml ``` ## Credential File If you can read local files as the web server user, inspect: ```bash cat /var/www/html/filemanager/config/.htusers.php ``` Example format: ```php $GLOBALS["users"]=array( array('admin','21232f297a57a5a743894a0e4a801fc3','/var/www/html','http://localhost','1','','7',1), array('dora','$2a$08$HASH','/var/www/html','http://localhost','1','','0',1), ); ``` The first field is the username and the second field is the password hash. ## Cracking Hashes Older/admin entries may be raw MD5: ```bash hashcat -a 0 -m 0 admin.hash /usr/share/wordlists/rockyou.txt # 21232f297a57a5a743894a0e4a801fc3:admin ``` User entries may be bcrypt: ```bash hashcat --identify hashes.txt hashcat -a 0 -m 3200 bcrypt.hash /usr/share/wordlists/rockyou.txt ``` Try cracked user passwords against local users, SSH, `su`, and any other exposed management service. eXtplorer usernames commonly line up with system users in lab environments. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/extplorer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.