Port enumeration

Using nmap, I found port 20 and port80 open. 13d0ac83b2ced9807d06f3341fe4a5eb.png

Web enumeration

Using ffuf, I found a login directory. 38a5c84519278af1ee6efa53023f8b38.png Fuzzing inside the login directory, where I also founs a swp version of login.php f84874843aaa8e8f2524e38271a538ce.png Reading the login.php code, I found a vulnerability. 55777b67e7a2798e4044670c1cbbbd91.png This code is using strcmp(), if the creds are correct, it will return 0. But it is designed to compare strings, and if you send something that is'nt a string, will return 0. Knowing that, I send a array to the page. cc7256e8c3dac0487a44fc3021617f5f.png With this, I logged in the web panel.

RCE with file upload

After logging, I can see a page that allows me to upload any file to the local file system. 1430c2b59c866df8b8b20aadf30c7fb7.png I uploaded a php reverse shell, and executed it inside the _uploaded directory, who I found in the ffuf enumeration. e4cf1d8d96202930aad6c82775cb5c15.png b32e7d7cb310bd9ce1fdf9f339e0d06a.png

John user

Reading the php files, I found some credentials. 3659ea9a70c96265d5e4b302b97e4992.png With this credentials, I logged as John user. 74dc3ab082d24392bd9bde8bb0280308.png

Privilege escalation

John can use find as root. dd1057eaec24e8206b1f806ff7d0d3c0.png Using the binary find with sudo, I execute a shell, getting a root shell. be7a001a9c24e9b341327c2f1284d1c1.png