From nmap, there are ssh and http service.
This is the web page.
Take a look at the source code, there is an interesting comment.
This is the directory, and I use gobuster for this directory.
This is README, it shows that it is using version 4.0.3.
This is the admin page. I tried to some basic credentials such as
Now we are able to login as admin.
There is a pluging page, after uploading a file, it will be stored as
So we upload a php reverse shell. By accessing it, we get the shell as user
nibbler and get user.txt. With
sudo -l, it shows that we can run
/home/nibbler/personal/stuff/monitor.sh as root.
This is a piece of code from
monitor.sh so that it copies bash to local directory with SUID bit. Run
./bash -p, and we can run bash as root.