Well I’m seriously stuck on this box. I got to a shell through some methods I don’t want to spoil here for those who have no RCE yet (there are more than enough hints for how to achieve it already posted here). But the hints “look at what you have available” and “box has been hacked recently” don’t help me at all. Either somebody before me removed something on this particular machine or this mysterious “available thing” is buried somewhere very weird where I definitely can’t find it. (This part makes me want to issue a reset just to “be sure” nobody messed with it…)
I found that some packages on the box are vulnerable to certain CVEs but one might take almost 24 hours to trigger and the other over an hour on x86_64. So these can’t be seriously the ways to user pwn. Root maybe. But user? I don’t want to wait almost 24 hours only to find out that the sploit didn’t work… any serious hints where to look at with my shell?
/Edit:
After a very useful hint from @dr0ctag0n regarding MySQL grants (sqlmap omitted some crucial ones and I didn’t verify it by hand…) I was able to get user and finally root. If I hadn’t believed in sqlmaps output I would’ve gotten user way faster. root is totally WTF or “weird af”… something I have never seen in the wild as an admin.