This machine provide a remote Python REPL environment via a SimpleHTTP service.

We just gain initial access by constructing a simple Python version of a reverse shell.

After conducting a thorough search of the system (targeting users with login shells), we discovered that one user maintained a Git repository containing their login credentials. Subsquently, uncovered clues within the Git logs pointing to the remote REPL environment. This led us to further fuzz the environment hidden endpoint and its password, ultimately gaining root privilege.

This is a Linux machine with ssh and two different web services enabled. One of the web services had an API vulnerability that could leak user credentials (though it required a key). Coincidentally, another service had a source code disclosure vulnerability. We found the required key in the Git logs, thereby obtaining SSH login credentials.

Subsequently, by decrypting Firefox browser data, we acquired credentials for another user for lateral movement.

Within their home directory, we discovered a SUID program with a buffer overflow vulnerability and weak security protections. We exploited this using ret2libc to gain root privilege.

This is a Linux machine with ssh and web services. According to the different responses are generated based on different credentials, we can fuzz the credentials for login.php. After login into the system, there is version disclose of the platform. We leverage it to get foothold.

First of all, we are a low-privilege (www-data) user. Fortunately, there is a dedicated SUID program reserved for us to read password of the user (think).

After that, we can discovery that there is a sudo rule for us to read arbitrary files. We can steal the root's ssh private key!!