Port enumeration

Using nmap, I found ssh and http open. 54be77ce1fb3e5eb9efedc8adf2dabef.png

Web enumeration

Using site map, I was able to find a login page. ceea6fd80d0893da2ffb62056ed41238.png Here, I found a log page. 86b898fc7ed6569771122cbeeb4a1bc2.png Using the option login as guest I can access the page. 53a7ca7cfb5bcb1659ff35df19349146.png After some enumeration, I found a page who allows you to see your user info, including your access ID. 928c09a958755957c13c94b31852094a.png

IDOR explotaition

Changing the ID in the URL, I can access the info of admin user. 36ac692d9051af647b77ef8435b55103.png With this ID, I am able to access as admin user changing the cookies. 71b1bbe1c59ebe20ac66d7757b4a8ae2.png

Insecure file upload

As admin I am able to access a page who allows you to upload files into the local machine. 57b8461562c97cfa84cada0b5d2fbb99.png Using this panel, I upload a reverse shell. 1d0142042a1d72e8db605b3c3ece3ade.png 9a116486259a77319e28cbfdbef411fc.png And reading the user flag. 7813ba85da5a55b937dc1271962a5802.png

Robert user

Reading the database config file in the php files I found a password who can be used to log as robert. 4ac067428dd26aa809b1de5f27f149ca.png 0479c097ec988af703743aa3ce00d8b9.png

Privilege escalation

With find, I found a root binary with SUID activated. 59c8abe134b382740f5cc85c60a0a3cd.png 2961b295473795e49f63d4de1d028469.png This ELF binary allows me to read local files. 9469f194920a3778e39c636e5b1184a7.png Using a reverse path vulnerability, I am able to read the root flag. aae6390ac84cf896167ad1de7107a7a3.png