From nmap, there are ssh and http service opened.
This is the web page.
/listfile.php, seems like it executed
ls and print out the output.
pwnbackup.txt, there is an encoded string.
I got the password by decoding it 13 times with base64.
/browse.php, there is LFI. In
/etc/passwd, I got the username
Now, I can ssh to the server as
charix. There is
secret.zip, it can be unzipped with charix’s password. And there is Xvnc running at port 5901.
I redirect it to local and execute vncviewer with the extracted file as password file.
Now, I am root.