Getting TGT using secretdump for usernames got from smb dirs and using rpcclient to chnage the user password , got a zip file that was a memory dump and getting NTLM hash of user lsass mimikatz ad then admin is around dumping the ntds.dit file.
The file todo.txt tells about a username and making a custom-wordlist using cewl , Brute forcing the login using custom python script , We logged into the CMS and exploiting the bludit using manually and metasploit , We got our initial shell . And the file users.php reveals a hash by cracking it we are logged into as hugo . Privielge escalation is all about the sudo vulnerability.
Using cewl to make a custom wordlist from thr page author.html , used wfuzz to find the another domain and sqli in the add_edit_event_user.php , using sqlmap to dump the table user_secure and got the credentials for the openEmr panel.Editing the file config.php and embeding php reverse shell to get initial shell as www-data.The file jquery/functionality.js contains user ash password.Memcached service is ruuning locally. Getting user luffy credentials By dumping data from memcache by Monitoring using Watchers and manually.The user luffy is in the group docker.Displaying docker images got ubuntu and Spawning a root-shell.
Nmap results and Gobuster reveals robot.txt file which is dissallowing a dir called admin-dir running wfuzz against it we got two files contacts.txt and credentials.txt which contains ftp user and pass.Got some files in ftp server.We got an another directory utility-scripts and fuzzing the dir we got another file adminer.php which is running the adminer-database on it.Connecting our mysql database with the adminer we can write adminer-db data to our data and so we got a password for user waldo.And the user waldo can run a script as root.Privilege escalation via python library path hijacking and running script as root we got a root shell by using netcat bind shell.