->TraceBack

Run Nmap Scan against the IP

Go to the website , we can see the site is pwned by Xh4H

So we need to find who is Xh4H, Google the name.
We can see a Github repository of Xh4H, Go to The Repository

There are many Repositories , We Only need php files which is used by
Xh4H for pwning the website, So i found web-shell repository

There are some php files, copy the file names to a file


Run Dirsearch to get the directories which are available ,
and we found smevk.php is available

Go to the Link , and we can see a login page . The Username and password are admin:admin ,
we can see it from smevk.php file which is in Xh4H's Repository

Now We LoggedIn ,There is a option to upload files, so we can upload php files

Search for php reverse shell and we found one from pentestmonkey

Upload the file and listen to netcat

Now We Got reverse Shell Of Webadmin

Search for sudo commands that we can run without password,
and we found luvit from sysadmin can execute with sudo permission,
and we found luvit is executable and the file extension is lua

search for GTFObins of lua and we can get priviliage escalation by the given code

Save that command to a file and execute with sudo permission of sysadmin,
we got the shell

By running linpeas we can see the Group writable files

By analyzing the 00-header we can see it is a Head page while login through ssh

So we need to create a ssh key and add that to the .ssh directory, create ssh key by ssh-keygen

Add the files to .ssh directory of webadmin, copy the content of id_rsa.pub
and paste it in authorized_keys and upload all files

Now we can login to webadmin with id_rsa file without password

Now add cat /root/root.txt to the 00-Header

Now login with id_rsa and we can get the root flag in there
