Find open ports (22, 80)
Foothold
Find a directory called /filemanager
Find and login using default admin credentials for /filemanager
The page shows extplorer is running. A google search returns default admin credentials that work.
Access
Edit a php file to obtain a reverse shell
When we request the index page for port 80, we are redirected to /wp-admin/setup-config.php.
The extplorer app lets us access the file system.
We can edit the setup-config.php file to execute a reverse shell. I tried several PHP payloads but those using exec or system failed. This one worked, though.
Lateral move (www-data → dora)
Find a hash for the dora user
As www-data I can see the local.txt file is at /home/dora/ but I don’t have permissions to access it. I must find a way to obtain a shell as dora. Searching for dora in /var/www/html/ I find .htusers.php
Crack the hash and switch to dora user
Identifying the hash type:
Find the corresponding Hashcat mode:
Cracking the hash:
Switching to dora user:
Obtain local.txt
Privilege Escalation
Find that dora is part of the disk group
Exploit the disk group privileges to get a root shell and obtain proof.txt
Using this guide, exploit the disk group to get read access to /root/proof.txt.
Find where / is mounted, then read /root/proof.txt (but after that, for completeness, read /etc/shadow and get the hash for root user).
Crack the root hash.
Switch to root user.
