Just knocked over HIGINI if anyone is interested.
This is basically the approach I took step by step:
nmap -> find ports 22+80
View source -> find creds ‘test’ and ‘test’. Enter creds but they don’t go far. Some page called ‘expenses.php’ which doesn’t exist (useful later )
Hit up ‘/robots.txt’. Find /dev.
Download pages -> note obvious LFI from the ‘users’ cookie. Guess that the same pages in /dev are available in /. Test with …/…/…/…/etc/passwd as the user cookie and the LFI works
Using the path /proc/self/fd/2 shows the error log. Note the instance of the ‘referer’ header being written out - particularly when the expenses.php file can’t be found
Login in again but this time polluting the referer header with the <?php echo('thisworks!'); system($_GET['cmd']); ?> string set.
Reroll the 5th step - note the ‘thisworks!’ string being printed.
Passing in cmd=ls as the query yields RCE.
DB credentials can be found at this point.
Don’t see obvious privesc yet.
The forum is a place for discussion, perhaps writeups, how you did it, or one or two issues you may be facing. But a conversation about breaking it, that is a job for the IRC.
My post was a writeup, how I did it, and one issue I may be facing.
It was NOT/NOT a conversation about breaking it.
Personally, I found the spoiler tag really useful. Not a feature you get in IRC land.