From nmap, there are ssh and http service.

Local Picture

This is the web page, it shows Cewl, which is a hint.

Local Picture

From gobuster, we found a secret.txt, it’s base64 encoded from Curling2018!.

Local Picture

And there is a /administrator/ login page.

Local Picture

I use cewl -w cewl.out http://10.10.10.150/ to create a wordlist, and using wfuzz to find the username with password Curling2018!. We got Floris.

Local Picture

Now, we can login to the Control Panel.

Local Picture

Go to Extentions -> Templates, and choose either one.

Local Picture

Local Picture

Create a new file reverse.php and paste our reverse shell payload.

Local Picture

We can access the php reverse shell.

Local Picture

We get a reverse shell as www-data.

Local Picture

We cannot access user.txt, but we found password_backup at Floris’s directory.

Local Picture

I use CyberChef to decompress it, and get file password.txt.

Local Picture

Now I am Floris. There is a directory /admin_area/, and a file input contains url.

Local Picture

The file report is the web page.

Local Picture

I revise input to file:///root/root.txt, and watch report.

Local Picture

We get the flag.

Local Picture