https://hackmyvm.eu/machines/machine.php?vm=Zday
Cat ports, a lot opened. Check port 80 first, it's a default apache page.
Scan files and folders.
Open /fog, it's login panel of fog project.
Google the default crdentials and login. At "storage" page, get a username "fogproject" and password.
Try to login ssh using this credentials. We get an error message and exit.
Log in ftp with this crdentials.
Download the .bashrc, remove the tail code, which cause the error message.
Upload the .bashrc through ftp, then we can login as fogproject.
find / -writable -not -path "/proc*" 2>/dev/null
We can write to some places in http folder.
Upload a reverse shell and overwrite /var/www/html/fog/service/ipxe/index.php, then we get reverse shell as user www-data.
Sudo -l as www-data.
Escalate to user estas.
Sudo -l as user estas.
Check the source code of mimeopen. Notice these several lines.
Goto /tmp folder, create a tmpfile with code "bash", then call mimeopen with -d, and use bash to run "tmpfile". Then we get root.