Now this was a fun change from the last one, and marks box #6 in my OSCP Prep. I had done this box some months ago and it was fun to play with again and re-remember how to do it.
Here’s the nmap scan:

Browsing, we get a blog, and it mentions a php bash shell that arrexel developed on this very server! That has to be promising!

Kicking off a dirsearch, we indeed find some interesting directories.


And now we have a shell.

We quickly see that we can run commands as the user ‘scriptmanager’ with no password, and we can browse around. www-user is enough to get us into arrexel’s directory and find the user flag.

But how to get the pesky root flag? Well, let’s see what the scriptmanager user can do.

Of particular interest is this scripts folder in the root of the server. Looking inside the directory we find a test.py and a test.txt. Don’t forget to look in the directory as scriptmanager otherwise you won’t be able to see anything.


All the test.py script does it write to test.txt. But as you can see above, it must be doing it with root permissions as test.txt is only writable by root. It’s trivial to modify the python script to get the contents of root.txt and write them out for us.

Now just wait for the script to be run (cron job) and poof, you’ve got your root flag!

This was a fun box. I look forward to moving on to more! Video to follow shortly!