- `aureport`can be used for `audit.log`
Blind AEN Structure:
- get all 7 web flags
- ftp
- dns
- `gitlab.inlanefreight.local` > disclosure
- `dev.inlanefreight.local` > verb tampering; file upload
- `careers.inlanefreight.local` > IDOR > `careers.inlanefreight.local`
- `status.inlanefreight.local` > SQLi
- able to enum `status` db, everything else is default
- `shopdev2.inlanefreight.local` > XXE
- `support.inlanefreight.local` > blind XSS; session hijacking
- `ir.inlanefreight.local` > wordpress brute force; inject webshell into inactive template
- able to get a webshell as `www-data` who according to `/etc/passwd` has no login shell ![[images/Pasted image 20260629211336.png]]
- locked down in a docker container ![[images/Pasted image 20260629211837.png]]
-
- get user and root flags on all hosts
- DC
- get user and root flags on final host