From nmap, there are ssh, http, and https service opened.

Local Picture

This is the web page.

Local Picture

And this is the https web page.

Local Picture

From the certificate, I got other domains and an email address.

Local Picture

Local Picture

There is a login page. I tried SQL Injection with the email, and succeed.

Local Picture

Local Picture

Local Picture

This is the dashboard.

Local Picture

The important part is tools.php, it seems that it executes preg_replace() when we generate an OpenVPN Config.

Local Picture

Local Picture

Local Picture

I found a blog post about command injection for this circumstance.

Local Picture

First, change /ip_address/ to /ip_address/e, which will cause PHP to execute the result of preg_replace() operation as PHP code. Finally, insert the reverse shell payload in the parameter ipaddress.

Local Picture

I got the reverse shell as www-data. I found that there is a cronjob executed by root every minute.

Local Picture

It executes logcleared.sh, so I made logcleared.sh a reverse shell script. A minute later, I got the shell as root.

Local Picture