Read my writeup for Timing mahine on:
TL;DR
User: Found LFI
on image.php
file, Reading the content of the php files, Found aaron
user on /etc/passwd
, Using aaron:aaron
credentials we can log in to the web portal, From profile_update.php
file we can see we can change our role
to get permission to upload files, Calculated the file name from upload.php
file (We can calculate the “random” file name because the developer writes md5('$file_hash' ...)
instead of md5($file_hash ...)
on upload.php
) Using that we are uploading a web shell, Found backup file on /opt/source-files-backup.zip
, By extracting the backup we found .git
directory, revert to a specific commit and we found the SSH password of aaron
user on db_conn.php
file.
Root: By running sudo -l
we found we can run /usr/bin/netutils
(Which run a jar
on root
directory) as root
, Using this jar
we can download files to the target machine (HTTP
/FTP
) and write the files with root
permission, Create symlink
to /root/.ssh/authorized_keys
on aaron
home directory and download file with the same name from our host, this file contains our SSH public key, At the moment the file was download from our host we can log in as root
using our SSH private key.