1- Enumeration :
first thing first we gonna launch an nmap scan
we only have two open ports:
22 ssh OpenSSH 7.2p2
80 http Apache httpd 2.4.18
we gonna take a look at the website in port 80
if you scroll a little you will find 4 probable usernames :
-meliodas
-root
-www-data
-anonymous
so we gonna launch a dirb attack :
after a while the attack gonna finish , but nothing special but there is robots.txt
i don’t think this is to disallow us to access the website , it’s a hint to bruteforce the ssh
2- ssh bruteforce :
we gonna launch an attack using the “meliodas” username
and we got our password we should just connect and get our user.txt
3 — privilege escalation
before everything we should see our permitions
okey we can run bak.py
bak.py :
By running it, we just get a Permission denied error :
we don’t have the perms to edit the file, but we still can delete it and re-create it with our TTY spawner:
$ rm -rf /home/meliodas/bak.py
$ echo ‘import pty; pty.spawn(“/bin/sh”)’ > /home/meliodas/bak.py
$ sudo python /home/meliodas/bak.py
and voila we got the root
thank you for reading — 0UR4N05
