EnumerationِNmap TIME!.
![Scanning-0]()
ِِِAs you can see 80,22,8080 are open.
Let`s start checking
![8080-2]()
ِAfter some recon i didn`t found anything in 8080.
ِBut i searched for megahosting exploit i found LFI so let`s try it.
![LFI-3]()
ِBANG ! , we got credentials.
After some search i found out that we can have a reverse shell by uploading it to manager page
Exploitation ![To-Create-Payload-and-upload-it-3]()
ِAfte uploading our shell let`s execute it.
![LISTENING-34-N-A5-OSH-3-LA-L-MAKNA-5]()
After some recon i found a backup file at /var/www/html
So i made an http server to download it to my machine and crack it
Let`s crack it with FCRACKZIP
![Crack-Backup-Zip-File]()
Privilege EscalationI didn`t find anything interesting in the file , In the recon phase i found ash user so i tried the password on it
![User-hasheno]()
BAM ! , we logged in and got user hash
I found this article about LXD privilege escalation and knowing that the user is in LXD group lxd privilege escalation
Let`s build !
![Rooted]()
Thanks for Reading 🙏
ِNmap TIME!.

ِِِAs you can see 80,22,8080 are open.
Let`s start checking


ِAfter some recon i didn`t found anything in 8080.
ِBut i searched for megahosting exploit i found LFI so let`s try it.

ِBANG ! , we got credentials.
After some search i found out that we can have a reverse shell by uploading it to manager page
Exploitation ![To-Create-Payload-and-upload-it-3]()
ِAfte uploading our shell let`s execute it.
![LISTENING-34-N-A5-OSH-3-LA-L-MAKNA-5]()
After some recon i found a backup file at /var/www/html
So i made an http server to download it to my machine and crack it
Let`s crack it with FCRACKZIP
![Crack-Backup-Zip-File]()
Privilege EscalationI didn`t find anything interesting in the file , In the recon phase i found ash user so i tried the password on it
![User-hasheno]()
BAM ! , we logged in and got user hash
I found this article about LXD privilege escalation and knowing that the user is in LXD group lxd privilege escalation
Let`s build !
![Rooted]()
Thanks for Reading 🙏

ِAfte uploading our shell let`s execute it.


After some recon i found a backup file at /var/www/html
So i made an http server to download it to my machine and crack it
Let`s crack it with FCRACKZIP

Privilege EscalationI didn`t find anything interesting in the file , In the recon phase i found ash user so i tried the password on it
![User-hasheno]()
BAM ! , we logged in and got user hash
I found this article about LXD privilege escalation and knowing that the user is in LXD group lxd privilege escalation
Let`s build !
![Rooted]()
Thanks for Reading 🙏
I didn`t find anything interesting in the file , In the recon phase i found ash user so i tried the password on it

BAM ! , we logged in and got user hash
I found this article about LXD privilege escalation and knowing that the user is in LXD group lxd privilege escalation
Let`s build !
![]()
![]()
Thanks for Reading 🙏