From nmap, there are ssh and http service opened.
This is the web page.
We can not register as
admin since the username has already been taken.
After we login, the cookie caught my attention. I modify it a bit, it gave me
Invalid padding. It can be vulnerable to padding oracle attack.
I use padbuster to create a cookie for
Paste the cookie in, and we are
admin. There is a ssh key named
mysshkeywithnamemitsos can be downloaded.
Connect to ssh with this key, there is a SUID binary
I use ghidra to decompile it, it is running
I add my home directory to the beginning of
PATH, and create a script to spawn
cat. So, when I run
./backup again, I can get the shell as root.