->Admirer




User part :

-> Run nmap scan





-> We can see open port 21,22,80. port 80 is available so go to the website





-> let's check robots.txt file and i found 'admin-dir' folder





-> going to that folder got permission denied





-> So let's check for directories and files using ffuf and i found 2 files





-> check what are in that files





-> I found a ftp user and password so i opened filezilla with ftp credentials and downloaded that 2 files





-> In that file i found a database username and password , i tried in ssh but password is wrong





-> Then i dive into deep, and found a file called db_admin.php with credentials and i tried with that password. that also wrong





-> Then i went to info.php , which shows phpinfo and i found the header with adminer cookie





-> Then i searched for adminer and it's installation part





-> From that i found the 'adminer.php' file is the login page of adminer





-> In that i got the verion and i searched for exploits, i got a bugbounty writeup





-> Then i read that blog and iam trying with this method





-> for that i need to install adminer in my system also, i done with that





-> in the attack scenario you can see ,i need to login to my adminer from the webserver adminer





-> I log-in and created a table and column as 'test',beacouse above attack scenario they insert data to 'test.test'





-> I tried with '/etc/passwd' but it was restricted access to that folder





-> Then i tried for 'index.php' but the file was not found





-> Then i tried '../index.php' and got success





-> I went to the table and found a username and password





-> Tried in ssh and got shell and 'user.txt'





Root Part :



-> I searched for available command which i can execute with all privileges and i found a file





-> In that file all files having access denied except '/opt/scripts/backup.py'





-> In the python program it is importing 'shutil' file operation





-> Then i searched for changing python environment path and i found i can chage with the help of PYTHONPATH





-> Then i created a folder in tmp folder and 'shutil.py' file, in that file i wrote to read 'root.txt'





-> And when i run the file i got root.txt