/cgi-binis definitely something we want to check out. This is a directory where sysadmins can place scripts to be executed. That means we could find php, python, bash, etc scripts in here that we could abuse. Lets dig deeper into this directory with another gobuster scan, this time with a more extensive extension check.
user.shwe get the following:
cgi-bindirectory, and the name is
shockershellshock is a good bet. We can test this by adding a malicious HTTP Header with curl and execute a reverse shell:
user.txtflag. Now time for some privesc.
sudo -lto see if our current user has sudo access without specifying a password. Lo and behold, we strike gold:
/bin/bashprocess as the root user and obtain the root flag: