- `aureport`can be used for `audit.log` Blind AEN Structure: - get all 7 web flags - ftp - dns - `gitlab.inlanefreight.local` > disclosure - `dev.inlanefreight.local` > verb tampering; file upload - `careers.inlanefreight.local` > IDOR > `careers.inlanefreight.local` - `status.inlanefreight.local` > SQLi - able to enum `status` db, everything else is default - `shopdev2.inlanefreight.local` > XXE - `support.inlanefreight.local` > blind XSS; session hijacking - `ir.inlanefreight.local` > wordpress brute force; inject webshell into inactive template - able to get a webshell as `www-data` who according to `/etc/passwd` has no login shell ![[images/Pasted image 20260629211336.png]] - locked down in a docker container ![[images/Pasted image 20260629211837.png]] - - get user and root flags on all hosts - DC - get user and root flags on final host