https://www.vulnhub.com/entry/shenron-2,677/
Scan ports.
Scan port 80, nothing useful.
Scan 8080, looks like a wordpress site.
Check source code of index.php, in order to make wordpress works, need to add http://shenron to /etc/hosts.
Wpscan found a plugin with LFI.
wpscan --url http://shenron:8080 -e u,p --no-banner --api-token $(cat /home/kali/Documents/wpscan_token)
Seach database for information.
In 44340.txt, found the poc.
Use LFI code to read /etc/passwd, found user jenny and shenron.
Bruteforce get jenny's passwd.
Ssh log in as jenny, check SUID file.
find / -perm -u=s 2>/dev/null
Disassemble Execute, found the actural bash code it run.
In /mnt, run ./bash -p, now we are shenron.
In shenron's home folder, found a .pass file. Decrypt it with base32.
Sudo -l, we can do anything. Get root finally.
