Nmap

‍

We'll start off with an Nmap scan:-

• 21 - ftp
• 22 - ssh
• 80 - http

‍

‍

Getting the user flag

‍

Starting off with the easiest thing to check.. the website.

We see a default Apache2 page.

‍

‍

So it's time to enumerate using ffuf, and we discover /assets.

‍

‍

Navigating to /assets, we discover 2 files, the RickRolled.mp4 file is exactly what you expect...

‍

‍

However, the style.css file reveals another directory.

‍

‍

Word of advice, do not turn off JavaScript as the site says.. try it out if you don't trust me.

‍

‍

After discovering this directory, we launch Burpsuite to intercept the request and send it to repeater.

‍

‍

And from there we discover another directory.

‍

Navigating to it we get an image.

‍

‍

Use wget to download the image, and lets check it with strings.

‍

‍

Awesome! We finally got something to use with the open FTP port.

‍

It's time to use hydra to brute force the ftp login as "ftpuser".

‍

‍

Once that's done, we login via FTP and download the file "Eli's_Creds.txt"

‍

‍

Looking at the contents of the file, it might look like gibberish, but I've seen this language before, it's BrainFuck.

‍

‍

Yes, this is an actual programming language, and we can decode this by using this website.

‍

‍

So, we've now got a second pair of credentials, and we can use this to ssh into the machine.

‍

‍

Once we've logged in, we see a message that points us to the directory "s3cr3t" but we have to find it first.

‍

‍

And yet again, we get the password for the user "gwendoline".

‍

The user flag is in $HOME.

‍

‍

Getting the root flag

‍

Checking what we can run with sudo using "sudo -l" results in a dead end.

‍

‍

And all other privesc checks lead nowhere, so I checked the version of sudo that's running and looked for a privesc technique.

‍

‍

This exploit allows us to launch vi as root and edit the user.txt file, from there we can type in ":!/bin/bash" to spawn a root shell.

‍

‍

And that's it! We're root and we can cat the flag at /root/root.txt

‍