Prerequisites for this machine:-

• Basic Nmap knowledge
• Familiarity with web enumeration using ffuf, dirb, gobuster etc..
• Basic Linux knowledge

‍

Enumeration

‍

‍

Performing a standard nmap scan shows 2 open ports, 80 and 22, meaning that the machine is running a web server and ssh.

Navigating to the website gives us a default Apache2 web page.

‍

‍

Nothing interesting there, however once we check the page’s source code, we find the name “jessie” left in an HTML comment, which could help us login through ssh.

‍

‍

After enumerating the website using ffuf, we get one interesting page; “/sitemap”.

‍

‍

But after checking it out, there seems to be nothing of interest to us on the webpage.

‍

‍

So, let’s enumerate this page using dirb!

‍

‍

That gives us one very interesting directory; “/.ssh”.

Let’s check it!

‍

‍

And lucky us, we got an id_rsa file (ssh key), let’s download it so we can use it to ssh into the machine as the user “jessie”.

But before we can use it, we need to change its permissions to 600.

‍

‍

Et voilà! We have a shell.

‍

First flag

To get the first flag, we’ve got to do some exploring. The user flag is in the “/Documents” directory.

‍

‍

Final flag

Once we check what we can run with sudo, we see “wget”.

‍

‍

Referring to gtfobins, we can use wget with sudo to send a file to our attacker machine. In this case, we’ll use it to send the root flag.

Start a netcat listener on the attacker machine.

‍

‍

And on jessie’s machine, we can use wget to send the file “/root/root_flag.txt”.

‍

‍

Back on our attacker machine, we get the root flag!

‍