RATING
Easy
ENUMERATION
We kick it off with our usual nmap scan:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.153.73
Navigating over to the target in our browser doesn’t yield much, so we proceed to directory bruteforcing with feroxbuster and discover the /bulma/ directory:
Command: feroxbuster -u http://192.168.153.73/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k -d 1 --quiet
Hopping over to the /bulma/ directory, we discover a hahahaha.wav file and download it locally:
Playing the file, we can tell that it’s a message in Morse Code. We head over to an online Morse Code Audio Decoder and upload the file and decode it to reveal the following:
user: trunks
password: u$3r
We use our new credentials to SSH into our target as user trunks:
Command: ssh [email protected]
Checking out trunks’ home directory, we can see that .bash_history contains a command to add user Tom as a root user with password Password@973:
Because we are able to write to the /etc/passwd file, we can simply execute the command, switch to user Tom and proceed to grab our flag:
Command: echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
Command: su Tom (using password Password@973)
