Recon

Target is a Linux machine with IP: 10.10.10.191. Nmap shows that port 80 is the only open port. Dirbuster on target:

login panel (/admin)
todos (to-do.txt)
other content pages

The login page can be brute-forced through a crafted wordlist, with the username “furges” from to-do and wordlist built from web page.

www-data

After obtain the web login information, a bludit metasploit module can be used to obtain www-data shell

user

Examine the web server source code, and the password hash for normal user is there. Dehash with any online tools or jack. A simple su command can be used to obtain user.

root

User to root is an exploit I never heard before. A sudo -l command shows privilege for user, and further exploits can be find here