NMAP
Nmap scan report for 192.168.1.7
Host is up (0.00020s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!
MAC Address: 08:00:27:56:AD:A9 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds
PORT 80
Looking at the source we can see a comment at the bottom of the page
I ran gobuster
From fuzzing the directories /nothing led me to actually nothing
However /hidden_text was interesting.
Which was like word list or maybe there directories exists on the machine.So using this word list it came back with a pwned.vuln file
Looking at the source code again
These were in fact credentials for ftp server
The note says
Wow you are here ariana won't happy about this note sorry ariana :(
This is private key belongs to user ariana so we can ssh into the box with this.
Run sudo -l to see what we can run as root or as other user
Transfer linpeas on the box
Right at the start it says that the user is docker group and we can privesc abusing it
Visting GTFOBINS for any privesc on docker
And we are root !!!
