1->Run Nmap Scan , We can see 80 and 22 are open
2->Go to the website we can see the login page and signup page
3->Read the source code , we can see the 'name' should not be more than 10 character
and email should not be 20 character
4->Create a test account and login to the site, the home page is given below
5->While Enumerating web site we got admin mail ID
6->Run Dirsearch to find the directories, we got 3 directories
7->Go the 'admin' directory we can see a web login page
8->Now i think,Should i can create a new firstname.lastname@example.org account and login using admin page ? .
We Know the email field must be less than 20 character.
So Run Burpsuite and intercept the request and make a 20 spaces after email@example.com and type something and forward request
9->Now the Login page From home directory is this
10->I tried to login with the creadentials, which we created now of firstname.lastname@example.org .
And i got admin priviliage to the website
11->Now Go to collection, we can see the collections which are uploaded by the customers
12->For Creating PDF file i converted a image file to pdf by the Magic Number
->Then i searched , how to read local files using pdf, And we got something from this article
13->I uploaded the file and in the name field i type the code we saw from the Blog and opened from admin page
14->Then i opened the pdf and i got /etc/passwd file and we can see, reader user available in the system
15->Now i changed the 'etc/passwd' file to '/home/reader/.ssh/id_rsa'
and i got the file, But unfortunately the file is correpted by the larger size of output
16->Then i changed the payload to show the output in small size
17->Now got the output in small size and save it in a file and login to reader, i got reader shell
18->Now Upload pspy64 to check the background processes
19->We can see the logrotate is running
20->Search for logrotate exploit in github and found a exploit
21->Now upload logrotten exploit to the server
22->And add reverse shell payload to a file and run logrotate .
Then add a note to '/backup/access.log' and we got a shell. Now we can read root.txt