From nmap, there are ssh and http service.
This is the web page, it uses magento.
And we can create an account.
There is an admin login page.
I search magento using searchsploit.
I tried to use this python script.
And now, we can login to the admin page using credential
Furthermore, I used another python script, which needs our admin credential
forme:forme, and I can do RCE as
I opened a reverse shell. With
sudo -l, I found that I can run
/usr/bin/vi /var/www/html/* as root.
sudo /usr/bin/vi any file in
/var/www/html, and type
:!/bin/sh to escape. Now, I get a shell with root privilege.