nmap -sV 10.129.228.42
Port 80 is open. Let's check it by entering the IP address in our browser.
gobuster dir -w /usr/share/dirb/wordlists/common.txt -u 10.129.228.42
Now let's open our browser again and check:
10.129.228.42/data 10.129.228.42/ip 10.129.228.42/netstat
10.129.228.42/data seems interesting. I tried several combinations but found something interesting with 10.129.228.42/data/0
If you type 10.129.228.42/data/0 in your browser, you find a file to download.
Download the file. It is called 0.pcap
Looks like a pcap file, so let's open Wireshark and look more into it.
In Parrot machine, go to Applications --> Pentesting --> Sniffing and Spoofing --> wireshark
Once Wireshark loads, Click on File --> Open
Locate your 0.pcap file and click on open
In the filter field, type FTP to filter only the FTP protocol. We can see the password used by Nathan in plaintext!
We know that ssh is open too so let's try that:
You are prompted to enter a password. Enter the password we just found.
The credentials worked and we are in.
You got your flag!
getcap -r / 2>/dev/null
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Now we are root!
Now we got the root flag too!