OffSec PG - Seppuku


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → os_info


PortServiceOther details (if any)
21FTPvsftpd 3.0.3
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPnginx 1.14.2
139NETBIOS-SSNSamba smbd 3.X - 4.X (workgroup: WORKGROUP)
445MICROSOFT-DSSamba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7601HTTPApache httpd 2.4.38 ((Debian))
8088HTTPLiteSpeed httpd

Web Scan

GoBuster scan → /opt/gobuster dir -u -f -w /opt/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • /index.html
  • /icons/
  • /b/
  • /a/
  • /c/
  • /t/
  • /r/
  • /d/
  • /e/
  • /f/
  • /h/
  • /w/
  • /q/
  • /database/
  • /production/
  • /keys/
  • /secret/

The directories /w/, secret and keys contain several interesting files →

  • ssh private keys within private and private.bak
  • hostname file with value seppuku
  • a wordlist password.lst
  • passwd.bak and shadow.bak


The wordlist can be used to brute force the ssh login by using hydra as follows →

hydra -l seppuku -P password.lst ssh://

This gives the valid credentials as seppuku:eeyoree which can be used to login to the machine. This also gives the user flag within local.txt in the home directory.

Other items such as the backup for the password and shadow files were rabbit holes due to incorrectly formatted hashes.

Privilege Escalation


Listing the users in the /home directory gives other users as samurai and tanto. The ssh private keys discovered earlier grant access to user tanto via ssh. This leads us to a restricted shell. The sudo -l permissions for the user were to only create a symbolic link of the /root directory inside /tmp. However, this directory would still have the permissions of root which means those permissions are still needed to read the root flag.

The user directory also contains a .passwd file which contains a password. This password helps login with credentials samurai:12345685213456!@!@A for the next user. The sudo -l capability for this user is to run the following command →

/../../../../../../home/tanto/.cgi_bin/bin /tmp/*

This means that the command tries to execute the file /home/tanto/.cgi_bin/bin as a command and the /tmp/* as an argument.


The command bin can be replaced with anything such that it will get executed. This can be done by using a shell script by the same name that can be created on the machine using nano as well as served via HTTP from attacker host to the tanto machine using wget. The file should contain the following →



This can then be made world executable by using chmod 777 bin and then moved inside the .cgi_bin directory. samurai can then use the command with sudo to execute this file which would then grant a root shell and thus the root flag.

This post is licensed under CC BY 4.0 by the author.