Noob

When starting the machine, it already provides us with its IP.

IP of the victim machine

We perform a quick NMAP scan and observe that there are 2 open ports, 22 and 65530.

sudo nmap -sS -p- --min-rate 4500 -n -Pn -vvv 192.168.18.179
Open ports

Now we will conduct a more detailed scan for those ports.

nmap -sCV -p22,65530 -n -Pn -vvv 192.168.18.179 -oN target
Detailed scan of the two ports

We can see that port 65530 hosts a website. We enter and observe the following:

We observe that the page is not found. So, I decide to discover directories and files using Gobuster.

Upon entering /index, we don't see anything significant. It just tells us that we are close.

View of the /index directory

But if we access /nt4share, we can obtain key information for accessing the victim machine. First, we enter the .ssh/ directory.

View of the /nt4share directory

Upon entering the authorized_keys file, we obtain the username adela. Accessing the id_rsa file allows us to download the id_rsa of the user. We use this key to access the victim machine via SSH without knowing the password for the user adela.

View of the .ssh directory
We found the user adela
We obtain the id_rsa of adela

So, as mentioned earlier, we download the id_rsa, give it the necessary permissions, and access:

wget http://192.168.18.179:65530/nt4share/.ssh/id_rsa
chmod 600 id_rsa
ssh -i id_rsa adela@192.168.18.179
We are now adela

There are only two users: adela and root.

Users in the victim machine

Later, after attempting various privilege escalation methods without success, we discover that we can create symbolic links to any directory and gain access without any issues. So, I decide to create a symbolic link named root that points to the /root directory.

We create a symbolic link pointing to the /root directory.

From the web, we can see the new directory we created, named root.

We enter, and now we can obtain both the user flag and the root flag. However, I don't want to stop here, so let's escalate to the root user.

User flag and Root flag

To do that, we do the same as we did with adela: enter the .ssh folder, download its id_rsa, grant permissions (600), and access:

We are root

Now we can indeed say that the machine is completed.

Last updated