BountyHunter

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

WFuzz:

Wfuzz .php

log_submit.php responds with base 64 encoded xml
http://10.129.193.248/log_submit.php

/tracker_diRbPr00f314.php url encoded

Decoded:

Created XXE base64 encoded then URL encoded for the db.php file:

Base64 decoded result and received a username/pass:

Retrieved /etc/passwd:

Previous found password works with user developement
SSH in as development

User.txt Proof Screenshot

Sudo -l

Created a ticket

# Skytrain Inc
## Ticket to root  
__Ticket Code:__
**102+ 10 == 112 and __import__('os').system('/bin/bash') == False

Executed script and got root

RootScreenshot Here: