Recon
Target is a Linux machine with IP: 10.10.10.191. Nmap shows that port 80 is the only open port. Dirbuster on target:
- login panel (/admin)
- todos (to-do.txt)
- other content pages
The login page can be brute-forced through a crafted wordlist, with the username “furges” from to-do and wordlist built from web page.
www-data
After obtain the web login information, a bludit metasploit module can be used to obtain www-data shell
user
Examine the web server source code, and the password hash for normal user is there. Dehash with any online tools or jack. A simple su command can be used to obtain user.
root
User to root is an exploit I never heard before. A sudo -l command shows privilege for user, and further exploits can be find here