NMAP

Nmap scan report for 192.168.1.7
Host is up (0.00020s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!
MAC Address: 08:00:27:56:AD:A9 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds

PORT 80

Looking at the source we can see a comment at the bottom of the page

I ran gobuster

From fuzzing the directories /nothing led me to actually nothing

However /hidden_text was interesting.

Which was like word list or maybe there directories exists on the machine.So using this word list it came back with a pwned.vuln file

Looking at the source code again

These were in fact credentials for ftp server

The note says

Wow you are here ariana won't happy about this note sorry ariana :(

This is private key belongs to user ariana so we can ssh into the box with this.

Run sudo -l to see what we can run as root or as other user

Transfer linpeas on the box

Right at the start it says that the user is docker group and we can privesc abusing it

Visting GTFOBINS for any privesc on docker

And we are root !!!

BS CS undergraduate | CTF Player