From nmap, there are ssh and http service.

Local Picture

This is the web page.

Local Picture

From gobuster, we found that there is upload.php, photos.php, /backup/, and /uploads/.

Local Picture

Local Picture

Local Picture

There are source code in backup.tar, which is upload.php and lib.php.

Local Picture

Local Picture

What I did was add php reverse shell payload at the end of the image and upload it.

Local Picture

After we upload it, we can access it from directory /uploads/. The file name is 10_10_14_15.php.png, and we are now user apache. There is a file crontab.guly, and it indicates that check_attack.php is executed every 3 minute.

Local Picture

Take a look at it, we can do code injection at line 28, where $value is the filename.

Local Picture

I create a file named a;python.... A reverse shell will be executed when line 28 is executed.

Local Picture

Now, we are guly, with sudo -l, I found that I can run changename.sh with root privilege.

Local Picture

This is the source code of changename.sh. I typed a bash as my first input, so when the config is executed, I can get the shell as root.

Local Picture

Local Picture