->archangel




User part :



-> Run Nmap Scan





-> port 22,80 are open, so i opened website. As mentioned in the picture ,you can see the hostname.





-> so lets add this to our /etc/hosts





-> browse the hostname , you can see under development





-> i checked robots.txt and got a file





-> i opened that file in browser and a button is there





-> i clicked that button , you can see the webpage is reading internal files . So i checked with LFI payloads





-> My first payload was not success





-> My second payload was success





-> After reading this blog i got this log file for further exploitation





-> i opened that log file in browser and got success





-> For my next step of exploitation i want to add this php code to the log file.
By that , whenever i read log file, this php code can also be executed.
Remember: this is log file, if you make any mistake/damage it won't work anymore, so be careful





-> now i tried to read the log file and tried php code for exploitation, and i got success





-> For getting shell i used this command





-> I got reverse shell using the burpsuite





-> Then i uploaded linpeas from my local machine, and i run it





-> The below mentioned files shows writable files owned by me, the /opt/helloworld.sh file is weired





-> i added reverse shell code to that file and wait for 1 min, i got shell back and can read user flag





Root Part:



-> for further checking i uploaded linpeas and i run it





-> In the Below image , i have the priviliage to executable backup file





-> i downloaded and checked for strings, as you can see 'cp' command is executing





-> i made a cp file in '/tmp/' and made it as executable. then i added /tmp/ path in PATH variable,
so when we execute that backup file,first time it checks for cp command in '/tmp/'.
By this i added reverse shell command to cp file and got shell back and now iam root