From nmap, there are ssh and http service.

Local Picture

This is the web page.

Local Picture

There is a robots.txt, which shows that directory /writeup/ exists.

Local Picture

Local Picture

Looking at its source code, I found that it uses CMS Made Simple.

Local Picture

I tried to do SQL Injection with the python script from searchsploit.

Local Picture

We get lots of useful information.

Local Picture

We can ssh to the server as user jkr.

Local Picture

With pspy64, I saw run-parts command is executed as root when jkr connected to ssh.

Local Picture

I modified run-parts to a script, which copies SUID bash to jkr’s home directory.

Local Picture

After connecting to the server again, I got the SUID bash and run as root.

Local Picture