First nmap scan

All we have is an open web port and an ssh port.
Visited the page

We have an idea of what is running based on what we see at the bottom of the page

Did a quick search on searchor and found this version was out of date! There is an exploit available that actually fits perfectly with this box. It was made by Crypt0Ninja and is available on github! I had to modify the path to my python binary a little but after that…

I used this remote code execution to send me back a shell


Foot hold complete!
Post-Foothold
I start by checking general environmental variables and find I can write to the $PATH folders


Didn’t get much from here but I did discover a hidden file in my home directory for git

the .git directory has a config file in it. A quick check shows…

That looks like it could be a password. I admittedly don’t understand much about github or git to know for sure, but that looks like it could be a password.
I flounder for a bit, visit the link and get not much but a username. I decide to try it on sudo for the svc accoutn I have and…

There is a script I can run as root
Since I have a password and ssh port is open I am going to try to login there to get a better shell. IT WORKS

List of available commands from that script

I mess around with the containers with no luck. Eventually I get to full-checkup and something interesting happens

It looks like it’s trying to establish a connection! Even better, the file is writeable

Modified the script to send me back a shell and…

pwned :)