Opacity

Initial access

After doing initial enumeration on this room I found the /cloud directory. Here it was possible to upload image files. To bypass the file extension filter, I simply added a null-byte to the path.

That is, if my payload was called shell.php, I type the URL like this LOCAL_IP:PORT/shell.php#.jpg

This way it was possible to gain initial access.

KeePass cracking

Again, simply doing basic enumeration showed another user "sysadmin".

I searched for files belonging to this user with find / -type f -user sysadmin 2>/dev/null and found a KeePass file called dataset.kdbx.

This file was extracted by setting up a python3 HTTP server at the target - python3 -m http.server 4444

Then I used JohnTheRipper to crack the password.

keepass2john dataset.kdbx > keepassJohn
john keepassJohn --wordlist=/usr/share/wordlists/rockyou.txt 

and once keepassxc was installed, I could get the password of sysadmin.

Root

I noticed that the /home/sysadmin/scripts directory was owned by the root user and could kinda guess that the script.php would be executed by the root user a some point.

This can be confirmed by running pspy64.

Since the folder was located in /home/sysadmin I could rename it and create a new folder "scripts".

I then simply placed a new PHP reverse shell payload (the same as I used for initial access) and waited with a listener open.

That worked.