Nmap scan:
Going to the website revealed that this website has some sort of backdoor left on it.
Reading the page source gave another hint:
For this, we can google 'Some of the best web shells that you might need' and be directed to this repository:
From there, we can create a wordlist of all the possible shells that are available, and use gobuster on the website. We would find that smevk.php is on the website.
We can login with admin:admin and then find a functioning PHP web shell.
Using the Execute part, we can gain a reverse shell on the machine as the webadmin user.
We can first check our sudo privileges.
There's also a message left behind by the sysadmin user.
luvit is a CLI tool that can be used to execute LUA code. Since we can use sudo on it, we can simply spawn in another shell using os.execute().
When running LinPEAS, we can find that there are some interesting files we can write to:
To exploit this, we would need to trigger the message to be displayed through SSH. As such, we can create a public key and echo it into the authorized_keys file for sysadmin. Afterwards, we need to execute this command:
This would create a bash SUID binary for us to escalate privileges. This 00-header file would need to be placed within the /etc/update-motd.d/ file and then we can SSH in. Afterwards, spawning a root shell is simple.
