On this Linux machine I abused LFI to find the password for admin panel for Tomcat. From there I used CLI to upload .WAR file to get a reverse shell. In /var/www there was a zip file which was password protected. Cracking the password using John, we find the credentials for the user Ash. From…
This Linux machine had a PHP page with LFI vulnerability. To upload a webshell I used SMB. From there we find credentials from a database config file. To root the machine I added a reverse shell to a writeable python module which was called upon by a python script run by root in cronjob. Enumeration…
On this Solaris machine we used finger to enumerate users. We then guessed the password for the enumerated user to get SSH access. From there we escalated our privilege to Sammy through a shadow file we had access to. I cracked the password and as able to SU to Sammy. Sammy was able to run…
