Let's start the challenge.
Nmap scanning
OK, we discovered four open ports. Let's begin, as always, from web application.
So, let's penetrate the web application deeper. We can see also that on the dashboard is link to admin panel.
Good, we discovered LFI. We can see very interesting information from /etc/passwd. I mean
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.shLet's try display content of the file.
We know that out target hosts TFTP service and if we could connect to the TFTP we will be able to (probably) download /backups/backup.tar file.
Excellent! Let's examine what is backup.tar file.
Wow, as far as I know the file is a backup of /var/www/html/* and /home/* files! In particular in /home/* we will be able to find some SSH keys.
Awesome! Using id_key4, we have got following screen
Editting, via Edit file, /home/paul/keys/id_key1.pub, we are able to connect to paul's shell using vim trick - :set shell=/bin/bash and :shell.
Excellent! We have got limited shell! We can see that Linux Kernel is 4.8 and we can find valid local privileges explioit.
Very good! We are root!
Game over
