Find open ports (22, 8090, 8091)
Foothold
Find port 8090 is running Atlassian Confluence v7.13.6
Access
Find an exploit for v7.13.6 and obtain RCE
First I found this Github repo, which allowed me to execute some commands. However, I would have trouble executing commands with spaces…
…but found I could get round that by URL encoding the payloads.
Find a better exploit which obtains a reverse shell
I then found this Github repo which allowed a reverse shell to be obtained.
Obtain local.txt
Privilege Escalation
Find a cron job running a script we can edit
Linpeas identified a script in the /opt directory, which the user I controlled owned.
Pspy showed a cron job running which executed this script.
Edit the script to obtain a shell with root privileges
Editing the script:
This caused the SUID bit to be set on /bin/bash
Ran /bin/bash as root
Obtain proof.txt
