User part :
-> Run Nmap Scan
-> port 22,80 are open, so i opened website. As mentioned in the picture ,you can see the hostname.
-> so lets add this to our /etc/hosts
-> browse the hostname , you can see under development
-> i checked robots.txt and got a file
-> i opened that file in browser and a button is there
-> i clicked that button , you can see the webpage is reading internal files . So i checked with LFI payloads
-> My first payload was not success
-> My second payload was success
-> After reading this blog i got this log file for further exploitation
-> i opened that log file in browser and got success
-> For my next step of exploitation i want to add this php code to the log file.
By that , whenever i read log file, this php code can also be executed.
Remember: this is log file, if you make any mistake/damage it won't work anymore, so be careful
-> now i tried to read the log file and tried php code for exploitation, and i got success
-> For getting shell i used this command
-> I got reverse shell using the burpsuite
-> Then i uploaded linpeas from my local machine, and i run it
-> The below mentioned files shows writable files owned by me, the /opt/helloworld.sh file is weired
-> i added reverse shell code to that file and wait for 1 min, i got shell back and can read user flag
-> for further checking i uploaded linpeas and i run it
-> In the Below image , i have the priviliage to executable backup file
-> i downloaded and checked for strings, as you can see 'cp' command is executing
-> i made a cp file in '/tmp/' and made it as executable. then i added /tmp/ path in PATH variable,
so when we execute that backup file,first time it checks for cp command in '/tmp/'.
By this i added reverse shell command to cp file and got shell back and now iam root