NMAP
In images directory i found this image:
I don't find ANYTHING...
But at one point I decide to see cookies, I see a cookie saved with the name auth, I'm going to try to change the cookie with the Burpsuite repeater and I get this error "Invalid Padding"...
Looks like a Padding Oracle Attack i try with Padbuster
PADBUSTER
https://github.com/AonCyberLabs/PadBuster
It seems that this is it!
DONE :)
It's the moment to create the cookie for admin user:
I have the cookie!
I put in request and...
I'm in Admin account i have SSH id_rsa:
I try to connect with SSH:
I can execute script named backup with root permisions
I see string from this script and i see cat /etc/shadow
This is Path Hijacking...
cd /tmp
nano cat
I execute and i have root shell.
THANKS.