Foothold
1. XSS in quotation form to get admin session
2. SSTI in report generation
3. Use SSTI to get RCE and foothold
4. SSTI blacklists . and __, so we play SSTI golf
5. reading app.py, get mysql password
6. in users table, get hash of user account and crack it
7. get user flag
2. SSTI in report generation
3. Use SSTI to get RCE and foothold
4. SSTI blacklists . and __, so we play SSTI golf
5. reading app.py, get mysql password
6. in users table, get hash of user account and crack it
7. get user flag
PrivEsc
1. sudo -l and see that we can run qpdf
2. sudo qpdf --empty /tmp/pwn.pdf --add-attachment /root/root.txt --
3. run a web server on the victim and download the pdf to attacker VM
4. open the pdf file and download the attachment to get root flag
2. sudo qpdf --empty /tmp/pwn.pdf --add-attachment /root/root.txt --
3. run a web server on the victim and download the pdf to attacker VM
4. open the pdf file and download the attachment to get root flag