Admirer taught me the basics to dirb and using proper Word Lists. It also taught me that I am really bad at creating my own MySQL database (even for testing).

Like the other boxes I ran AutoRecon:

The main thing that stood out was Port 80 was open.

I ran DirBuster with the /usr/share/dirb/wordlists/big.txt

The contacts turned out to be useless but I highlighted the Admin address for my notes.

The credentials.txt gave me the access I needed to the FTP.

I logged into the FTP Account first. I pulled the html.tar.gz file:

An export of the entire website including a utility-scripts directory.

This pointed me to the utility-scripts directory. I ran DirBuster again well checking the files within the FTP. The PHP Info alongside the comment was enough to point me in the right direction. A short Google later took me to the Adminer login page.

Adminer mentioned in PHPInfo.

Open Source alternative mentioned.

I ran through this guide here – https://medium.com/bugbountywriteup/adminer-script-results-to-pwning-server-private-bug-bounty-program-fe6d8a43fe6f and after (multiple) attempts I connected to the GUI using my local MySQL.

Me finally getting the proper database dump syntax.

Waldo credentials from database dump.

After this, I logged in using SSH the Waldo credentials. LinPEAS showed me that backup.py was being run by root/admins.

Backup.py showed me a Python script running.

admin_tasks.sh showed that the backup_web task was referencing the python script.

After a lot of bad ideas I finally found https://rastating.github.io/privilege-escalation-via-python-library-hijacking/. I created a directory and file in the tmp directory called fake/shutil.py.

I setup an nc session bound to 4444. After spelling tmp temp???? a few times I finally got the reverse shell to work as intended.

Running the script to load my fake shutil.py

I got my session as root and grabbed the flag.