Port Scan
Web Contents Discovery
Also we find the another content /reanme, /torrent
When we visit the test.php.
We visit the /torrent content, we found we can upload the specific torrent file.
I try to modify the torrent file like adding some malicious commands in it, but it failed.
But we can upload the screenshots in my uploaded torrent file.
We can upload the images with mailcious php commands, and /renamethe image file name.
So we can visit the php page and get a www-data shell.
We can enter any command to control the machine.
Privilege escalation
We find a suspicious file in /home/george
/home/george/.cache/motd.legal-displayed
I googling MOTD Exploitation, here what I found.
https://www.exploit-db.com/exploits/14339
We copy the exp.sh from exploit database, and run it. We can get the root shell.