OffSec PG - Cyberspoloit1


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → os_info

PortServiceOther details (if any)
22SSHOpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.2.22 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

Directories/files listed →

  • index/
  • index.html
  • robots/
  • hacker/

The hacker/ page consists of a base64 string which decodes to cybersploit{}.


The source of the home page consists of <!-------------username:itsskv--------------------->. Therefore, this can be used for a password brute force on the ssh server. This did not reveal a password. Testing the previous base64 string as the password works and grants access to the user itsskv.

This gives the first flag.

Privilege Escalation

Enumerating the setuid binaries gives no info. Looking at the kernel version and os version using uname -a, it seems the kernel is indeed an outdated one → 3.13.0. Using searchsploit to look at exploits for this version using searchsploit 3.13.0, there is an overlay.fs exploit for local privilege escalation.

Compiling this binary for the 32 bit version and transferring to the machine via wget, enables getting root user shell after running it. This gives the root flag.

This post is licensed under CC BY 4.0 by the author.