Xposedapi 🔸

Enumeration

Port shows a web page with instructions for an API.

/logs has a WAF, so we can make requests from another host. By using the header X-Forwarded-For, we can bypass it.

We see the user clumsyadmin; this user can be used in the /update endpoint.

Generate a reverse shell with msfvenom and start a listener.

Then set a listener and restart the app with POST /restart.

Get the flag.

Search for SUID programs.

Get the flag.