Enumeration

Nmap

Initial nmap scan revealed HTTP and SSH ports were open.

00 - nmap

Web Enumeration

The website was just showing a header and an image.

01 - simple website

Then applied directory brute force and found some endpoints.

02 - ffuf

Non of the endpoints were useful (rabbit holes). Then checked robots.txt and found find_me endpoint.

03 - robots txt

It included double base64 encoded comment.

04 - find_me file

I double decoded it. It showed qr code. Then using ‘zbarimg’ tool I decoded the qr code. It showed a password.

05 - double decode

06 - qr code

The password was useless, I tried different usernames with this password against SSH and it did not work. Then I applied directory brute forcing with larger list. And found ‘bulma’ enpoint.

07 - bulma

Exploitation

The endpoint included a wav file.

08 - hahaha

The audio was spreading a message in morse. So I found an online morse decoder and ran it. It showed the message which included username and password.

09 - user and pass

So using this information I got the SSH shell.

10 - got the user

Privilege Escalation

I ran linpeas.sh on the target machine. It showed /etc/passwd file was writeable by the current user.

11 - linpeas

So I can either update root entry or add another entry and assign its id to 0 to make it root.

I did the second one and ran the below command:

pw=$(openssl passwd password); echo "r00t:${pw}:0:0:root:/root:/bin/bash" >> /etc/passwd

12 - etc passwd update

Later, I simply got the root.

13 - root

<
Previous Post
Katana - Proving Grounds Play
>
Next Post
Gaara - Proving Grounds Play