Admirer taught me the basics to dirb and using proper Word Lists. It also taught me that I am really bad at creating my own MySQL database (even for testing).
Like the other boxes I ran AutoRecon:
The main thing that stood out was Port 80 was open.
I ran DirBuster with the
The contacts turned out to be useless but I highlighted the Admin address for my notes.
The credentials.txt gave me the access I needed to the FTP.
I logged into the FTP Account first. I pulled the html.tar.gz file:
An export of the entire website including a utility-scripts directory.
This pointed me to the utility-scripts directory. I ran DirBuster again well checking the files within the FTP. The PHP Info alongside the comment was enough to point me in the right direction. A short Google later took me to the Adminer login page.
Adminer mentioned in PHPInfo.
Open Source alternative mentioned.
Me finally getting the proper database dump syntax.
Waldo credentials from database dump.
After this, I logged in using
SSH the Waldo credentials. LinPEAS showed me that
backup.py was being run by root/admins.
Backup.py showed me a Python script running.
admin_tasks.sh showed that the backup_web task was referencing the python script.
After a lot of bad ideas I finally found https://rastating.github.io/privilege-escalation-via-python-library-hijacking/. I created a directory and file in the tmp directory called
I setup an nc session bound to 4444. After spelling tmp temp???? a few times I finally got the reverse shell to work as intended.
Running the script to load my fake shutil.py
I got my session as root and grabbed the flag.