CengBox:2 Vulnhub Walkthrough
Here is my write-up for Cengbox:2 vulnerable machine , an intermediate level machine which can be downloaded from vulnhub.
There are two methods for privilege escalation and we will cover the first and easy one because I really don't like msfconsole sometimes.
walkthrough
IP of the target : 192.168.43.175
as usual we start with nmap to find open ports and running services using the command
sudo nmap -sC -sV -Pn -p- 192.168.43.175

nmap result looks interesting , lets try anonymous login in FTP :)
and we found a note.txt file we downloaded the file in our local system using get command and now lets try to read the content of the file.

we have gained some useful information from this message
users : Kevin and Aaron
Password : default password ( we can try some common passwords)
domain name : ceng-company.vm
so we edit the /etc/hosts file as 192.168.43.175 ceng-company.vm

this is what we have on port 80 , nothing useful :( , now we can think of directory bruteforce using the command
wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt -t 25 --hc 404 http://ceng-company.vm/FUZZ

but unfortunately we have nothing here too.
If we remember the message from note.txt file then we found that ceng-company.vm is a domain , what if there is a subdomain? , okay to find that we ae going to use gobuster
gobuster vhost -u ceng-company.vm -w /usr/share/wordlists/dirb/big.txt

most of them have returned code 400 but two subdomain have returned code 403 , we again edit the /etc/hosts file as 192.168.43.175 admin.ceng-company.vm

okay now it's time for directory bruteforce again :)

okay lets open this directory .
This looks like a CMS and without wasting time the we start searching for some common login webpage like /admin or /login and we found both .

you can find these login pages using directory bruteforce also , but trying some common names revealed the login page so I didn't go for the bruteforce :)
Here is little bit of guess work to get the correct email and password
username : Kevin@ceng-company.vm
password : ***** ( #Try_Harder)
and using these credentials we are in as user Kevin , now by some manual searching we found that we can edit some php files .
Content->File Manager->index.php .
we edit this file with pentestmonkey php reverse shell and started a listener on the specified port and after refreshing the page we get the reverse shell.

okay now lets refresh the page and done we are in as user www-data :)

now we checked for user privileges using command sudo -l.

okay lets run this bash script as user swartz.
sudo -u swartz /home/swartz/runphp.sh