From nmap, there are ssh and http service.
This is the web page.
There is a robots.txt, which shows that directory
Looking at its source code, I found that it uses
CMS Made Simple.
I tried to do SQL Injection with the python script from searchsploit.
We get lots of useful information.
We can ssh to the server as user
pspy64, I saw
run-parts command is executed as
jkr connected to ssh.
run-parts to a script, which copies SUID bash to jkr’s home directory.
After connecting to the server again, I got the SUID bash and run as root.