Task is to become root and read /root/flag.txt.
We can start by running
nmap on our target IP.
nfs up and running. We can use
showmount to view if there are any mountable shares.
Great, we have open share, which we can mount.
And now we have a file called
backup.7z to analyze.
It’s password protected, but while opening we can see some interesting files like
id_rsa. As they may help us to get into the
ssh, I decided to brute force the password with this little Python script.
Now let’s run it and wait for the results.
Now that we have everything decompressed, let’s view the files. Firstly, in
id_rsa.pbu we have name of the user. It will be essential for logging into the
Unfortunately, we also need a passphrase for the key.
After trying to find clues in decompressed images, I decided to run another brute force attack.
ssh2john could not get the hashes from the key, I decided to run this simple one liner brute forcer with bash.
And this time, we have a password
12345678. Finally, we can log into the system.
Doing simple enumaration for any misconfigured services, I’ve found
After viewing it’s configuration files, we can see that it’s possible to run
/usr/bin/less args /var/log/authlog as root with
From that, further exploitation is trivial as we have to enter
!sh in order to run commands just like in