Machine Synopsis

Pollution is a challenging Linux machine with several intricate and sophisticated vulnerabilities to exploit, such as XXE and leveraging LFI to gain RCE, as well as prototype pollution. Initially, we gain a foothold shell as user `www-data` by reading critical files through XXE and then leveraging LFI to gain RCE. Further, we discover that `php-fpm` is running as user `victor` on an internal port of the remote host, which can be leveraged to move laterally from `www-data` to `victor`. Finally, we manage to escalate privileges to user `root` by exploiting prototype pollution on an internal NodeJS service.