Executive Summary

This was a quick little box. A couple of hints on the webpage let us bruteforce a user and then manipulate a python script for root.

Technical Details

Enumeration

OK! Lets take the classic approach. First, enumerate the ports! All of them just to be sure. I break the scans up into 10k sections to make it go a little faster. The only open ports we find are 22 and 80. A classic set-up

Lets use gobuster!! Again, not much info. just robots.txt and images. On the robots.txt there is a hint. It says rockyou. Ah the classic.

If we go to the webpage itself, we can see that there are comments made by a few users.

Melodias www-data root anonymous

Ok, lets do some bruteforcing.

hydra -l meliodas -P rockyou.txt 10.10.92.70 -t 64 ssh

bing bong - we get a user and pass.

Initial Foothold

SSH to get into the user directory and read the flag.

Lateral Movement

sudo -l -> we can run a python script in our directory as root. Don’t even read that script, just delete it and replace as a reverse python shell.

Priv Esc

Set up nc listener on your box and run the script as root. gg