Skip to content

Xposedapi 🔸

Enumeration

Port shows up a web page with instructions for an api.

Initial Access

/logs has a WAF so we can make requests from another host, so using the header X-Forwarded-For we can bypass it.

We see the user clumsyadmin, this user can be used in the /update endpoint

Generate a reverse shell with msfvenom and start a listener

Then set a listener and restart the app with POST /restart

Get the flag

Privilege Escalation

Search for SUID programs

Post Exploitation

Get the flag