We will start here just right after the boot:
So - as usual - quick portscan:
After googling for "Node.js Express framework exploit" I found this interesting post:
Then I used Burp to prepare a payload:
I started preparing a final payload using venome.sh:
Checking with Burp:
Small poc in action:
...and we should be somewhere here:
Now, I started enumerating OS:
More, to find other user(s):
Unfortunately there was now 'active' fireman user... :| (*bug or I'm missing something?)
I tried few more options...
I think 'the bug' (according to some "resources available online") is here (but correct me if I'm wrong please):
So... This CTF will be continued as soon as I will figure out what next should be done to r00t it... ;)
(* if you have any hints - feel free to leave a comment or drop me an email/@msg. thanks)
See you next time.