This is a Linux machine with only Web services enabled, we could upload a webshell by controlling the directory parameter of the upload API endpoint. Then we gain the initial foothold of the system.

Then we discover there is a sudo rule for our initial user which allow it to execute /bin/cp with another user. And there is a ssh service only for localhost, but we could forward it by port mapping. After that we pivot to another user by leveraging /bin/cp to write our ssh public key to authorized_keys. Finally, we get the root shell or read arbitrary file via LOTL(Live off the land) technique. Here is the /bin/man.

This is a Linux machine with ssh and two different web services enabled. One of the web services had an API vulnerability that could leak user credentials (though it required a key). Coincidentally, another service had a source code disclosure vulnerability. We found the required key in the Git logs, thereby obtaining SSH login credentials.

Subsequently, by decrypting Firefox browser data, we acquired credentials for another user for lateral movement.

Within their home directory, we discovered a SUID program with a buffer overflow vulnerability and weak security protections. We exploited this using ret2libc to gain root privilege.