Now I have time to write a little summary.
Enumeration is the key factor to gain full access. There are several fine clues that help you to find vulnerabilities. You should record all little details and analyze them.
First stage: Information gathering
First exploit: nice idea to implement a well-known vulnerability type in an unexpected place. You need to use manual technique instead the usual open-source tool. It can cause problem for people who don’t understand the essence of this attack, but easily solvable if you have basic manual practice in this area.
Second “exploit”: this is an old-school reconnaissance method, based on a configuration vulnerability which is very rare in modern environments, but I met it about 15 years ago.
Second stage: Initial foothold
This phase is based on a very original idea and answer why machine maker chose “Scavenger” as a name of the box. You need to execute a usual web enumeration process and spot some strange thing.
Third exploit: after you find that strange thing, you need to do some fuzzing. If it is successful, you will have limited remote access to the box.
Third stage: More enumeration
This is the typical “cd subdir; ls -la;” loop. Check all directories that you can access, search for sensitive information. After you find that information, it will be obvious what you have to do. If you do it, you will have access a very important data source. Analyze it! You can use Google to find details about those things.
Fourth stage: User access
Fourth exploit: this is a public exploit, which is a module of a well-known penetration testing framework. The execution of this exploit is very slow, and you need to configure a timeout parameter and change the payload to run it successfully. I used this exploit to gain limited remote access in the name of another user.
Fifth stage: Root access
Using the new remote access opportunity, based on enumerated information from the third stage, you can find an important executable. You can download it easily and can execute a basic reverse engineering process to gain “magic” word. If you have that word, you can type only one line of instructions to gain the content of root.txt.
Bonus stage: Unlimited root access
Only two commands are needed to provide root SSH connection to the box. If you execute them, do not forget to reset the machine.