Port enumeration

I found 2 open ports, 68 and 69, dhcp and tftp. 6941e2b21183eae078fb29a95050ec2f.png And an http server. 64e07ca4d2c94528e1309cb5e7c468dd.png

Web enumeration

This web have a LFI vulnerability. b6403463d89838cf96e91fc254f1f27d.png Using this vulnerability, I was able to read the .htpasswd file. 8b35dc27d866473c6f809ef5d67dd5e6.png

RCE with tftp and LFI.

Now, I can log in the tftp server and upload a php reverse shell. 262108732cf72e2082621810cd4c7105.png Now, using the LFI, I execute the php remote shell. 9eeaf64f53ed23e06789bcfc7bb1f114.png 250ec250eab7085f9bd85f4d10699321.png Now, using the credentials who I found in .htpasswd, I can log ass mike and read the user flag. 57ab9e1a302a99a2cedae8d0acd7c802.png ac4ba2bcbac96b169065f8ebac84c23c.png

Privilege escalation

Mike is inside the lxd group. f6c64cf8f7e45e9f31c01845e7e747ef.png Now, I just need to build a lxc image. deacad27acbfee15d324672445e7655b.png Put this image in the machine. 32864ed78eb22beeb21285997804b9d5.png Import the image in lxc. e7b8c519fea608d6b214a12f4f7c5318.png And create a container mounting all the disk inside it. d6b1695ebf09a6bcbf9d1a2864cf67f0.png Inside this machine, I have root access to all the filesystem. 2731f711c35b8aa4b3e0ca457a64a806.png Here, I can read the flag, but I created a shell outside the container creating a bash binary with SUID perm. 6d1fa6980973d6ede8fa28b5729ff0da.png e3effc481a446501dff8ca5f008bedd1.png 76b80d121a46b2bc8116be0fe62236ac.png And now, I have the root shell outside the container, this was unecesary, but its more convenient. 6d62fe7276eaa8003f25b446babb8cfd.png