Waffle

Nmap Scan Result

/info page contains Apache config file showing the web app installation path

The SSH service running on port 22022 allows default credential of admin:admin or root:root and has very limited features

The vulnerability here is that we can write an executable PHP script from the restricted shell to the web server running on port 80. however, we need to specify the write destination path as seen below. 

Privilege Escalation

using Linpeas.sh, we notice that Python Capability is our PE vector, in this case, using python, we are able to change our user group to any group of our choosing. 

To exploit this, We simply change the GUID to shadow and this allows us to read the password hash which can then be cracked with hash cat.