This is a Linux machine with ssh and two different web services enabled. One of the web services had an API vulnerability that could leak user credentials (though it required a key). Coincidentally, another service had a source code disclosure vulnerability. We found the required key in the Git logs, thereby obtaining SSH login credentials.

Subsequently, by decrypting Firefox browser data, we acquired credentials for another user for lateral movement.

Within their home directory, we discovered a SUID program with a buffer overflow vulnerability and weak security protections. We exploited this using ret2libc to gain root privilege.

This is a Linux machine with ssh and web services. According to the different responses are generated based on different credentials, we can fuzz the credentials for login.php. After login into the system, there is version disclose of the platform. We leverage it to get foothold.

First of all, we are a low-privilege (www-data) user. Fortunately, there is a dedicated SUID program reserved for us to read password of the user (think).

After that, we can discovery that there is a sudo rule for us to read arbitrary files. We can steal the root's ssh private key!!