Don’t give up on first upload.

nmap service and OS scan

On visiting the page we find index page which says It works

Running a gobuster scan shows us: 1) index 2)test3) torrent ,directories. Visiting test shows php config page. Torrent shows us dashboard to Torrent Hoster.

It has option to login and register. Let’s register

Shows successful registration

Gives you an option to upload. So we first download one file available in browse page — kali.torrent as sample and will try to upload it

After successful upload we will edit this torrent file to upload shell. First make a php shell file

Making some changes in request using burp let’s upload this.

Using exploit/multi/handler module on msfconsole , we can get reverse shell

Load the image from edited content and gain the shell
Enumerating to home directory we get USER.txt FLAG!!!

Now going to home of www-data we find a folder torrent, containing database. Enumerating the sql file we get admin password.

admin user and password in .sql file. Encrypted password.

Username : admin && Password : admin12.

These credentials worked no where … Suxxxxxx!! So I went back to home dir of www-data where I found .cache -> /etc/passwd

Opening /etc/passwd, I got a credential for toor. But since we don’t have access to /etc/shadow we cannot crack it. Shattered once again.

After a lots of trial and error . Nothing worked so I decided to check kernel exploits for Linux.

Linux Kernel <= 2.6.37 local privilege escalation

Linux Kernel exploit full-nelson.c . I tried running privilege exploit for linux kernel . Refer: https://www.exploit-db.com/exploits/15704

Just get it on your machine, then transfer to target machine and compile. Finally run it

Race condition kernel exploits.

ROOTED!!

OSCP | CEH | Cyber Security Enthusiast.