From nmap, there are ssh and http service opened.
This is the web page.
With gobuster, I found other directories.
I used sqlmap to check if there is SQLi in the login page from
And there it is, it is running MySQL.
I login as
admin with SQLi, and I can edit torrent to upload my stuff. There is a
upload directory to access uploaded files.
I create a file
test.png, which is a php reverse shell script.
I upload it as a screenshot.
It is right there. But I need to change its extension so that it can be executed.
/rename, I made the extension to
Access it, I got the reverse shell as
LinPEAS, it showed the linux version 2.6.31, and
Dirty COW should work.
I executed the script. After that, I can switch to the new user
firefart, who had the root privilege.