Link to the machine:
By nmap I found 2 ports open
Since the page shown apache default page I have tried to bruteforce directory using dirsearch using common wordlist.
Let’s take a look at robots.txt. Nothing special but it saying enumerate more!!
Let’s take a look at user.txt. I found base32 inside user.txt. It is base32 so we can decode it using CyberChef.
I have stuck for a while here so I use a different wordlist which big wordlist from Seclist and found a new directory /findme
Let’s open catchme.php
From here maybe we have parameter cmd to execute command. Let’s try id.
Nice! Let’s get a reverse shell and for this one I use python3 :)
As I manage to get a shell on www-data. It’s time to enumerate more. First, let’s try to enumerate on suid.
find / -perm -u=s -type f 2>/dev/null
So I found MeowMeow. Usually, I will try to run first what the suid will output.
Seems like it runs command id mhmm.. I do not have read permission on this suid so by using instinct lets assume that this suid binary run command id and maybe I can try hijack the PATH.
Rooted! Enjoy this machine and feels free to try it :) Thanks to the creator