I scanned all ports with nmap.
Enumeration
I searched endpoint with gobuster but it fails to find a directory.
Initial Foothold
I searched the header info and php version has a weakness.
The weakness causes command execution vulnerability and I execute any command over User-agent header. I prepare the rev. shell command and execute it.
I access to target machine via reverse shell
Privesc Escalation
I execute sudo -l command and sudo /usr/bin/knife and I got a info that how can ı run this command.
I saw interesting usage that I can abuse in the information.
knife exec command may supports to me read the root.txt file and got a flag.
