TheBit

NMAP Scan Result shows a couple of open ports

There's a web server running on port 80, since there is no anonymous lomgin on the FTP, why not do a directory bruteforce on the web service with FFUF

The dashboard directory is just the default XAMPP page, nothing juicy in the other directories except for reviewer which also happpens to be the landing page of the webservice when viewed from a browser.

Clicking on "GET STARTED" and I'm redirected to a login page vulnerable to SQL injection and I was able to bypass the login page.

We got a flag but we also found a service (Online Reviewer System ) which is vulnmerable to RCE.

https://www.exploit-db.com/exploits/50319

I was able to get RCE with the exploit in the above URL and use revshells.com to create a reverseshell payload.

Privilege Escalation

Uploaded linpeas.sh to the victim device for privilege escalation and I found a PE vector in "find" which has SUID bit set and got me root on the system.

https://gtfobins.github.io/gtfobins/find/#suid