- Directory brute forcing exposes a page intended only to be found after authentication. This page is a web shell and allows Arbitrary Remote Code Execution.
- A private SSH key was found and allowed a remote SSH connection to be made.
- Poor sudo configuration allows the low-level user to run /bin/vi as root without password.
- Vi can spawn a shell; since it was run with sudo, the spawned shell is in context of root user.
- Instead of a root.txt flag, there is a root.py script with an encrypted flag. The key to decrypt can be found in the web server directory.
Sudo misconfiguration allows the low privilege user to run /bin/vi as root without password.
Can escape vi and spawn a shell as root (https://gtfobins.github.io/gtfobins/vi/#sudo)