Nmap
We'll start off with an Nmap scan:-
- 21 - ftp
- 22 - ssh
- 80 - http
![](https://assets-global.website-files.com/65253d038bc23c6041109654/6540067c1dfb7e3267bddfc7_yotr1.png)
Getting the user flag
Starting off with the easiest thing to check.. the website.
We see a default Apache2 page.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/654007345420a3364e1ed35d_yotr2.png)
So it's time to enumerate using ffuf, and we discover /assets.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/654007b780da459054a01a71_yotr3.png)
Navigating to /assets, we discover 2 files, the RickRolled.mp4 file is exactly what you expect...
![](https://assets-global.website-files.com/65253d038bc23c6041109654/654007e884c2bcd680e76ee0_yotr4.png)
However, the style.css file reveals another directory.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/6540089684c2bcd680e7d900_yotr5.png)
Word of advice, do not turn off JavaScript as the site says.. try it out if you don't trust me.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/654008c65caac2c61146a1de_yotr6.png)
After discovering this directory, we launch Burpsuite to intercept the request and send it to repeater.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65400a4fd4cd8ab36bf68e0a_yotr7.png)
And from there we discover another directory.
Navigating to it we get an image.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65400aa1d3ef387a53f3d03e_yotr8.png)
Use wget to download the image, and lets check it with strings.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65400b00d0a1853d5aa0caa7_yotr9.png)
Awesome! We finally got something to use with the open FTP port.
It's time to use hydra to brute force the ftp login as "ftpuser".
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65402335845b9f83d0d8d33f_yotr10.jpeg)
Once that's done, we login via FTP and download the file "Eli's_Creds.txt"
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65400bdad6509fe917bebea6_yotr11.png)
Looking at the contents of the file, it might look like gibberish, but I've seen this language before, it's BrainFuck.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65400c19282b13e017c3cc39_yotr12.png)
Yes, this is an actual programming language, and we can decode this by using this website.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65402342b4b8058a9a2c37af_yotr13.jpeg)
So, we've now got a second pair of credentials, and we can use this to ssh into the machine.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65400d4cda9fb3de1f8960be_yotr14.png)
Once we've logged in, we see a message that points us to the directory "s3cr3t" but we have to find it first.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/654023500cb20fde856c7b84_yotr15.jpeg)
And yet again, we get the password for the user "gwendoline".
The user flag is in $HOME.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/6540235af2beaac23f409956_yotr16.jpeg)
Getting the root flag
Checking what we can run with sudo using "sudo -l" results in a dead end.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65400e8b282b13e017c5dc7b_yotr17.png)
And all other privesc checks lead nowhere, so I checked the version of sudo that's running and looked for a privesc technique.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/654010295caac2c6114b9942_yotr18.png)
This exploit allows us to launch vi as root and edit the user.txt file, from there we can type in ":!/bin/bash" to spawn a root shell.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65401066cb183544b64d228e_yotr19.png)
And that's it! We're root and we can cat the flag at /root/root.txt
![](https://assets-global.website-files.com/65253d038bc23c6041109654/6540236f124aff74a4c8ea07_yotr20.jpeg)