Let's download and examine the pcap file on the website.
We see that a user logs in from the development.smag.thm/login.php url.
Username and password are also included in HTML Form URL
To access the URL, we first need to add it to the etc/hosts file
We see that we can run commands after logging in with the information we obtained with Wireshark.
let's try to get Shell directly.
Done..
In the crontab, we can see that the id_rsa.pub file of the user jake is written to the authorized_keys file. Then let's create the id_rsa file for the jake user with ssh-keygen.
replace the .pub file we created with jake_id_rsa.pub.backup
After waiting for 1-2 minutes, we can log in as jake user with the id_rsa we created.
After logging in, let's get user.txt.
When we search the sudo -l command output with gtfo bins, we see that we can become root in a single line command.
