Coming back to HTB and practice pentest skill :D. The machine Academy is still active so only the brief ideas are listed here.

Recon

Nmap and identify the only open port 80. Set domain name properly to access the content. Use dirbuster to fuzz web pages.

Initial Access

Two webpages appears to be pretty interesting: /admin.php and /login.php. Reading the source code of registration page it is easy to register for an admin access user.

Users

Set domain name again based on admin page contents. Read the error message and identify the vulnerable web service that the target website is using; I read up a bit about “VHOST” and use msf to gain initial access

Spawn tty (python3) -> check local files -> get password for the first user, use su to login -> check local files gain -> find an interesting folder called “audit” -> read up and get password for the second user, use su to login.

Root

Root is pretty easy and standard. Just LinEnum and GTFOBins