All in One

Scanning

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.117.119

Detailed Nmap Scan :

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.117.119

Enumeration

Lets look at FTP as anonymous login is allowed

And there is nothing in the FTP server, lets look at the webserver

Its an Apache2 default page, lets run gobuster to look for hidden directories.

Lets check these directories out, first /wordpress

Its a wordpress site, we can explore this but first lets look at the other directory we found

There is nothing interesting, lets look at the source code, scrolling down we see something interesting

It looks like a cipher, lets crack it

Looks like a password, but we do not have a username to login through ssh.

Lets go back to the wordpress site. We have username elyana, but the password is not the right one.

Lets run wpscan to find information about this site.

Looking through the output, we see 2 vulnerabilities

We have a LFI vulnerability and a Arbitrary File Upload vulnerability. Lets first login with the credentials we found.

Once logged in, we can go to Appearance > Theme Editor and replace the 404.php file with a reverse shell and click update

Once we do that, we have to start a netcat listener.

Now we visit this URL to get the reverse shell.

Lets stabilize the shell.

Lets look at the files

So the password for the user Elyana is hidden on the system.

Lets find all the files that belong to the user elyana

This is an interesting file, lets read it.

We have the username and password, lets login through ssh

We can now read the user flag.

Looks like it is encoded, lets decode it.

Privilege Escalation

Lets run sudo -l

Looks like we can run socat as sudo, lets go to GTFOBins and the get the command to privilege escalate to root.

We are root. We can read the root flag

Lets decode this