Foothold
1. Fuzz out a .git folder
2. git-dumper to get the contents, and find the admin page
3. CVE-2024-34716; XSS in image upload, and unrestricted file upload gets you a webshell
2. git-dumper to get the contents, and find the admin page
3. CVE-2024-34716; XSS in image upload, and unrestricted file upload gets you a webshell
4. Find mysql password and hashcat password for james
5. su james to get local
5. su james to get local
PrivEsc
1.
1.
Find another IP address in the network, and a service running at port 5000
2. chisel to access the service, which is changedetection.io
3. use James password to get access to changedetection.io admin page
4. exploit the SSTI vulnerability in changedetection.io to get RCE on the Docker image
2. chisel to access the service, which is changedetection.io
3. use James password to get access to changedetection.io admin page
4. exploit the SSTI vulnerability in changedetection.io to get RCE on the Docker image
5. As root on the Docker image, download the Backup Zip files
6. Unzip the contents and decode them using
6. Unzip the contents and decode them using
7. Get the password for adam
8. adam can run prusaslicer as sudo
9. exploit to get root flag
8. adam can run prusaslicer as sudo
9. exploit to get root flag