So in this box here is our initial nmap scan →

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/b8a85997-566c-4a45-a102-5c9df178ad6b/Untitled.png

So the port 22 and 80 is open for us to exploit and now that we know that we did a little directory busting but didnt really find anything intresting .

It just has this thing on the site and the source code there is an intresting comment saying

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/8a8db320-e065-40b8-a227-47a0295fc121/Untitled.png

which says something like that -

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/53818e57-1f5b-4076-9ccd-502fbda9b07e/Untitled.png

and now a quick google search with this and the admin of this machine we find a tweet that was made by using this exact text and that talks about web shells and links to a github.

https://github.com/TheBinitGhimire/Web-Shells

We try basically all of the listed names of these web shells and see if there is a possibility of it working and yes we find out that smevk.php works and then in there we use the code injection tab to put our php reverse shell and use netcat to listen on 1234 port and catch the session and then sudo -l to see if we can get to root but it tells us the only thing we can do is execute lua file.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/655b1759-4637-4417-adca-b6e8d7249aeb/Untitled.png

And also usr/webadmin has a file which says there a file we can execute and test out which makes us think hmm can we execute a file called the same name in this case and you can also see .bash_history file and then what we do is basically create privesc.lua file and then add the following comment

echo 'os.execute("/bin/sh")' > privesc.lua

and then we execute this file and we get the shell of sysadmin and we can then traverse towards our user.txt file and get the user flag.