22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
Authentication bypass to gain access to web application
Executable file with weak permissions
Visiting the web application
Cant create an admin user as already exists
Create a new user with the name admin= and we discover an ssh key.
Download key with wget and change permissions then login with the ssh key
Unusual file called backup in home dir which reads the /etc/shadow file
Strings shows us it uses cat
Create a file called cat in the home dir with the contents:
#!/bin/bash/bin/shMake it executable withchmod 777 cat
Export the path to the users home dir so it picks up the malicious file cat first.
Execute the file to get root.