Snare

Enumeration

From the homepage the address bar can be seen with a parameter named page, it looks like a possible LFI however no payload worked so I decided to check file execution

As guessed, file execution worked as been below, but the web service is already adding the .php extension so we don't need to add it in the address bar.

Using the common php reverse shell exploit I was able to get a reverse shell

navigating to the /home page where all user files are stores and I was able to get the first flag from user snare home

To find the second flag, I uploaded linpeas.sh and found that I can read and write to the /etc/shadow file

The passwords are  uncrackable, however, to exploit the fact that I can read and write to the Shadow file, I simply edited out the password hash of root using nano, after this, I used the su root command to switch user from www-data to root and was able to navigate to the second flag location,