Ok, that box was extremely difficult. I have done a similar attack on a pentest as is required to get root on this, but it was still a challenge.
Recommendations: User:
- Just because you can’t ssh like you normally do doesn’t mean you can’t use ssh.
- You need to be able to read code. When you find a place to upload something, that is the right path, but you need to modify the URL that you are posting to in order to make this work. It should be relatively clear by reading the code of the page as to what is expected in the request, so make the URL match that.
Root:
- If you see you can do a few elevated commands, that is correct; you need to find a way to leverage those commands to get an RCE.
- Read about the server that the commands you can execute interact with and look at creating one of your own.