Nmap scan:
We can do a gobuster scan on the machine to find all possible files present:
On the website itself, it was a simple application to read files:
This was hosted at http://<IP>/browse.php/?file=<FILENAME>, which had an obvious LFI. We can use this to read listfiles.php, which was present on the machine.
There was a pwdbackup.txt file, and when read it shows a password that has been encoded 13 times with base64:
When decrypted, it gives Charix!2#4%6&8(0. We can then use this to SSH in as the user charix.
We can check the ports that are open with netstat -an.
VNC is open on port 5901, and normally, this requires a password file. Conveniently, we can find a secret.zip in the user's directory:
We can transfer this back to our machine via base64, and then use vncviewer to login to the VNC service after port forwarding it:
This would spawn a terminal as the root user:
