teach me I'm a noob

Easy box

There was also an EAR vuln on the preprod-payroll site that offered an easy alternative auth bypass. The response size on the 302 redirect to login.php gives it away.

You see it in the index.php code at 10:16. Missing exit; statement after the header('location:login.php').

If you go to ippsec.rocks, and search "file priv SQL", you'll find a video with time stamp answering this question

That's a bad habbit to be in as it leaves the server in a much worse state than before you got on it. Forget to change it back and bash will be a privesc for the next person, even if you fixed the vulnerability that allowed you to make it SetUID. A shell in /dev/shm will be erased upon reboot and if you patch the thing that executed it and you need to re-exploit the application to trigger it as another user. It's just safer.

@@ippsec What if you copy the /bin/bash into /tmp/bash and then modify the SUID of /tmp/bash instead? Then after escalating, delete the /tmp/bash

i have the same issue

Ping against a DNS Name and look for the ICMP/DNS request.

in order for php filter to work, it needs to be at the start of the path to include. So if the include is include( "someFolder/" + $userInput), a PHP include won't work because the folder is at the start of the path.