Whilst the third stage was a little tedious and hard to explain, I learnt about some small Linux functions that I never know existed before.PART ONE: USERThe usual nmap scan reveals three open ports:Click here to view a breakdown of this command.Seeing as the SSH protocol is fairly up-to-date (and there are very few sun-answerbook enumeration tools), we can assume that this will be a web application attack.When visiting the website, we are shown a (very gross) list manager:The basic functionality of the site.As shown in the gif, we have a few different functions:View all listsAdd/rename lists.Open a list to view its contents.Add/rename an item in a list.Delete list items.Delete lists.With this in mind, let’s take a look at some of the requests in Burp Suite.Attempting to open up the first list produces this request:A request to the /dirRead.php endpoint.And, similarly, attempting to open up a list (within the first list) produces this request:A request to the /fileRead.php endpoint.We can see from this that we are querying the dirRead.php and fileRead.php pages, with the file parameter being posted..Since we are looking for a way to get into the system, attempting directory traversal to find important system files through LFI seemed like a good idea.As such, I tried performing simple directory traversal on the dirRead.php page, which showed us the following:Success!As shown, we now have access to all files in the above directory..Let’s now try going back another directory, so that we can access more sensitive files:The same results as before.Okay, so it seems that we can’t traverse back any more..We can assume that some form of input sanitization is taking place, and so we can try some simple bypasses..After only a couple of attempts, I found this, which outlines a method where we can bypass the input sanitization by using “…/…//”, instead of “../../”:We now have successful directory traversal!.As such, we can swap over to fileRead.php requests in order to read the contents of files:The contents of /etc/passwdSince this process of changing directories is a little tedious, I wrote a script to help us explore the file system..While this is completely pointless and genuinely a huge waste of time, I did it anyway (I guess I have too much free time?).I’m not going to go over the code, but it essentially lets us use cd, ls and cat to explore the filesystem..Since we want to upgrade to a “proper” shell, let’s go and find the user’s SSH key.Sidenote: Whenever I am in a situation where we have read-only access to a system, I refer to this article, since it outlines many important files.We now know that the user is called nobody, and we have their relevant SSH key (although we could have found this through /etc/passwd anyway)..With this in mind, we can SSH in, and obtain the user flag:We have a full user shell!PART TWO: ESCALATIONThis next part was difficult, as I didn’t know what to look for..I ran the usual enumeration scripts, and looked through open ports/SUID files, however found very little.Eventually, I decided to just list all files created by waldo, so that I could comb through them to find any useful information:waldo:~$ find / -user $USER!.-path "*proc*"!.-path "*var*"!. More details