I ran a directory scan and found an exposed.php endpoint. We also find an /uploads directory that could potentially be used.
When visiting the PHP site, this is what we see:
There is obviously an RFI exploit here. I tried to upload a PHP reverse shell from PentestMonkey, and then used curl http://<IP>/uploads/shell.php, and it worked in getting me a reverse shell.
Privilege Escalation
Screen 4.5.0
I ran LinPEAS and the SUID binaries were rather interesting:
The last one was screen-4.5.0, which was an outdated version vulnerable to a local privilege escalation exploit. We can follow the PoC below to gain a root shell.
