Buy Me A Coffee


->TraceBack




Run Nmap Scan against the IP





Go to the website , we can see the site is pwned by Xh4H





So we need to find who is Xh4H, Google the name.
We can see a Github repository of Xh4H, Go to The Repository





There are many Repositories , We Only need php files which is used by
Xh4H for pwning the website, So i found web-shell repository





There are some php files, copy the file names to a file







Run Dirsearch to get the directories which are available ,
and we found smevk.php is available





Go to the Link , and we can see a login page . The Username and password are admin:admin ,
we can see it from smevk.php file which is in Xh4H's Repository





Now We LoggedIn ,There is a option to upload files, so we can upload php files





Search for php reverse shell and we found one from pentestmonkey





Upload the file and listen to netcat





Now We Got reverse Shell Of Webadmin





Search for sudo commands that we can run without password,
and we found luvit from sysadmin can execute with sudo permission,
and we found luvit is executable and the file extension is lua





search for GTFObins of lua and we can get priviliage escalation by the given code





Save that command to a file and execute with sudo permission of sysadmin,
we got the shell





By running linpeas we can see the Group writable files





By analyzing the 00-header we can see it is a Head page while login through ssh





So we need to create a ssh key and add that to the .ssh directory, create ssh key by ssh-keygen





Add the files to .ssh directory of webadmin, copy the content of id_rsa.pub
and paste it in authorized_keys and upload all files





Now we can login to webadmin with id_rsa file without password





Now add cat /root/root.txt to the 00-Header





Now login with id_rsa and we can get the root flag in there