-> We start solving the machine by first finding its ip using netdiscover.
-> In the next step, we do an nmap scan and the nmap results are as follows.
-> As a result of Nmap scan, we see that port 80 is open and visit 10.0.2.14 page and examine the page source.
-> Here, we see that a module is written in the form of a comment line, and we discover that there is a directory traversal vulnerability and we add the following code After adding this code "php://filter/convert.base64-encode/resource=index" we get a base64 encrypted code.
-> After decoding this incoming code, a user's password appears.
-> We connect as user "mamadou" via ssh connection with this password.
-> When we enter the machine, we see that basic linux commands are not running on the console and we realize that only python commands are running, so we open a shell using the "import pty pty.spawn("/bin/bash")" command.
-> As user Mamadou we get our first flag.
-> Then, to get flag2, one of our other flags, we go to the file location where flag2.txt is and try to get it, but we see that we do not have the authority.
-> We realize that we need to be a devops user to get this flag, and we are looking for files belonging to the devops user, and as a result, one file attracts our attention.
-> We are trying to get a reverse shell with this file we found and we are editing the content of this file.
-> After we write our reverse shell, we listen with nc and run this python file and we get our devops user's shell and also flag2.
-> It remains to be root, for this, we run the "sudo -l" command and find which files we can run as the devops user with root authority, and we see that one of these files is the "/usr/bin/pip" command and "https://github.com/0x00 -0x00/FakePip" After pulling the file named FakePip from this address, we make some edits to the "setup.py" file.
-> As the last step, after listening with nc, we run the "setup.py" file and get our last flag as root.