Step 2:- Create an account here
Step 3:-Login to the created account
Step 4:- This page is vulnerble to XSS, so I found the RCE payload.
Step 5:-After running RCE Payload i find reverse shell by netcat !
Step 6:- Try to print the content of user.txt .Cat the user.txt denied because we are not super user on shaun
Step 7:- So after searching the machine I found the log file in which apache2 folder have a backup so I cat it and found the password for shaun.
Step 8:- Find the password for shun user !
Step 9:- Switch to shun user and find the user flag successfully !
Step 10:-I tried to login as sudo shaun but no luck!
Step 11:- Machine was running splunkd so I found the privelge escalation github tool.
Step 12:- Download Splunk into local machine!
Step 13:- Run Splunk tool and get root access !