Noob
When starting the machine, it already provides us with its IP.
We perform a quick NMAP scan and observe that there are 2 open ports, 22 and 65530.
sudo nmap -sS -p- --min-rate 4500 -n -Pn -vvv 192.168.18.179
Now we will conduct a more detailed scan for those ports.
nmap -sCV -p22,65530 -n -Pn -vvv 192.168.18.179 -oN target
We can see that port 65530 hosts a website. We enter and observe the following:
We observe that the page is not found. So, I decide to discover directories and files using Gobuster.
Upon entering /index, we don't see anything significant. It just tells us that we are close.
But if we access /nt4share, we can obtain key information for accessing the victim machine. First, we enter the .ssh/ directory.
Upon entering the authorized_keys file, we obtain the username adela. Accessing the id_rsa file allows us to download the id_rsa of the user. We use this key to access the victim machine via SSH without knowing the password for the user adela.
So, as mentioned earlier, we download the id_rsa, give it the necessary permissions, and access:
wget http://192.168.18.179:65530/nt4share/.ssh/id_rsachmod 600 id_rsassh -i id_rsa adela@192.168.18.179
There are only two users: adela and root.
Later, after attempting various privilege escalation methods without success, we discover that we can create symbolic links to any directory and gain access without any issues. So, I decide to create a symbolic link named root that points to the /root directory.
From the web, we can see the new directory we created, named root.
We enter, and now we can obtain both the user flag and the root flag. However, I don't want to stop here, so let's escalate to the root user.
To do that, we do the same as we did with adela: enter the .ssh folder, download its id_rsa, grant permissions (600), and access:
Now we can indeed say that the machine is completed.
Last updated