Marketing 🔸

Enumeration

Web server is a marketing page

Using feroxbuster we find /old path

Inside the old index there is a new link

Add this to /etc/hosts and access it

Going to /admin

Searching default credentials

Initial Access

We are in

Using this exploit https://github.com/Y1LD1R1M-1337/Limesurvey-RCE (recreate the zip after edit the reverse shell)

Privilege Escalation

Limesurvey config files shows sql credentials

sync.sh

Testing mysql password with t.miller is a go

Get the flag

With t.miller we can execute /usr/bin/sync.sh

t.miller is a staff user and mlocate user

transfer the database to kali and inspect it searching for personal folder

So we have to read creds-for-2022.txt but if we pass the path to the program, is gonna fail because of the

part, so we can disguised with a symbolic link

Post Exploitation

Get the flag