Let’s kick it off with an initial port scan.
Running gobuster against the website there are two interesting directories found.
Checking the panel directory we uncover an upload form.
Open burpsuite and capture the request for when you upload a file. Send the request to intruder and use a set of extensions to try to bypass the upload form.
Checking the upload directory you’ll see a bunch of files that were successfully uploaded. Start a listener and check which one will send a connection to the listener (in my case was the .php5 extension file).
Download and execute linux smart enumeration. SUID bit is set for python so we can abuse that to gain a privileged shell.
It was a simple and easy but fun room to do. Hope you guys learned something new.