Initially, we will perform host discovery on our network using NMAP.
sudo nmap -sn 10.0.2.0/24 -oN host-scan
The IP address of the target machine is 10.0.2.239. Next, we will scan this target IP for information regarding the OS and the services running on the machine.
sudo nmap -A 10.0.2.239 -oN port-scan
We can see that there are only two open ports in the machine: one for SSH and the other for HTTP web server. We can perform a directory scan on the web server running on port 80 using Gobuster:
gobuster dir -w $x -u http://10.0.2.239/ | tee scanned-dir.txt
Here, the variable x has the value ‘/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt’ (I do this for my own convenience). The tee command is used to write the output in standard output (terminal) and also a file named scanned-dir.txt.
On accessing /js directory, we can see a file called ‘main.js’ with the following content:
The comments gives us a clue about some kind of AES decryption using the passphrase ‘SecretPassphraseMomentum’. Now we will access the cookies of the website using our browser developer tools. If you are using Firefox, you can open it up by pressing Ctrl+Shift+I and find the cookies under the ‘Storage’ tab.
We will use the passphrase to decrypt the cookie. I used this site to perform the task.
On clicking ‘AES Decrypt!’ we get the following:
This looks like some sort of credential. After some trial and error method, I figured that this was the credentials for the SSH. The user is a ‘auxerre’ and the password is ‘auxerre-alienum##’.
After logging in, we can find the user flag.
The next task is Privilege Escalation. I tried multiple things like enumeration (using LinPEAS), kernel exploitation, finding SUID executables etc., but none of them worked. But upon listing out the running processes using ps command we find a Redis Server running on port 6379 in the localhost.
We can try sending commands to this server using a command line interface called redis-cli. We can use the KEYS command followed by the symbol ‘*’ to retrieve all the keys. This is followed by a GET [key name] command to display the value stored in that particular key.
The above value is used as the password for root. Once we switch to root user, we can retrieve the root flag.