Machine Synopsis

Static is a hard difficulty machine that features a web server running on port 8080. The website features a login page that can be easily bypassed by using default credentials, however, further access to the administrative panel is obstructed by a 2FA prompt. A corrupt Gzip archive is also identified on the website and after downloading it, its contents can be recovered. The archive holds a database backup that contains the OTP code for the administrative user. Once the OTP code is identified, further enumeration reveals an NTP server also running on the host. With the above information at hand, a script is created to generate a 2FA code and login to the administrative panel. The administrative panel can be used to generate a VPN configuration, which in turn can be used to access the internal networking of the remote host. By altering the routing, a new host is identified, which is also running a web server. This server is running Xdebug with remote mode enabled and can be abused to execute commands. After a shell as `www-data` is acquired another internal network is discovered with two more hosts. One of them is responsible for the generation of the VPN configuration files and does so through the usage of an Nginx installation with PHP-FPM. This installation is found to be vulnerable to a Remote Code Execution exploit, successful exploitation of which leads to a shell on the `pki` system. Privilege escalation can be achieved by exploiting a Format String vulnerability in the binary that is responsible for the VPN file generation.