Machine Synopsis

FluJab is a hard difficulty Linux box with lot of components and needs a fair amount of enumeration. After gaining a list of vhosts from the certificate one is found to be useful. Cookie tampering allows an unauthorized user to gain access to SMTP configuration which can be changed in order to receive mails. A parameter is found to be Union SQL injectable result of which can be seen in the Emails. Another vhost and a set of credentials is gained from the database which leads to Ajenti management console. The console is found to be misconfigured allowing overwriting and reading files, from which SSH access can be gained. Privileges can be escalated through a screens suid which is found to be vulnerable.