From nmap, there are ssh and http service opened.

Local Picture

This is the web page.

Local Picture

We can not register as admin since the username has already been taken.

Local Picture

After we login, the cookie caught my attention. I modify it a bit, it gave me Invalid padding. It can be vulnerable to padding oracle attack.

Local Picture

I use padbuster to create a cookie for user=admin.

Local Picture

Local Picture

Local Picture

Local Picture

Paste the cookie in, and we are admin. There is a ssh key named mysshkeywithnamemitsos can be downloaded.

Local Picture

Connect to ssh with this key, there is a SUID binary backup.

Local Picture

I use ghidra to decompile it, it is running cat /etc/shadow.

Local Picture

Local Picture

I add my home directory to the beginning of PATH, and create a script to spawn sh called cat. So, when I run ./backup again, I can get the shell as root.

Local Picture