User part :

-> Run Nmap Scan

-> port 22,80 are open, so i opened website. As mentioned in the picture ,you can see the hostname.

-> so lets add this to our /etc/hosts

-> browse the hostname , you can see under development

-> i checked robots.txt and got a file

-> i opened that file in browser and a button is there

-> i clicked that button , you can see the webpage is reading internal files . So i checked with LFI payloads

-> My first payload was not success

-> My second payload was success

-> After reading this blog i got this log file for further exploitation

-> i opened that log file in browser and got success

-> For my next step of exploitation i want to add this php code to the log file.
By that , whenever i read log file, this php code can also be executed.
Remember: this is log file, if you make any mistake/damage it won't work anymore, so be careful

-> now i tried to read the log file and tried php code for exploitation, and i got success

-> For getting shell i used this command

-> I got reverse shell using the burpsuite

-> Then i uploaded linpeas from my local machine, and i run it

-> The below mentioned files shows writable files owned by me, the /opt/helloworld.sh file is weired

-> i added reverse shell code to that file and wait for 1 min, i got shell back and can read user flag

Root Part:

-> for further checking i uploaded linpeas and i run it

-> In the Below image , i have the priviliage to executable backup file

-> i downloaded and checked for strings, as you can see 'cp' command is executing

-> i made a cp file in '/tmp/' and made it as executable. then i added /tmp/ path in PATH variable,
so when we execute that backup file,first time it checks for cp command in '/tmp/'.
By this i added reverse shell command to cp file and got shell back and now iam root