OffSec PG - Vegeta1


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))

Web Scan

GoBuster scan → gobuster dir -u -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • img/ (301)
  • image/ (301)
  • admin/ (301)
  • manual/ (301)
  • server-status (403)
  • bulma/ (301)

The robots.txt was checked manually during the scan was running. Robots file reveals a directory called find_me. This doesn’t contain any useful information either.


None of the directories were really useful. The login pages inside the /admin/ directory were empty. The /bulma/ directory revealed an audio file in the wav format.

Uploading the wav file to an online audio decoder shows that the audio is morse code and the text states the presence of a user trunks with a password u$3r. This can be used to login to the ssh server running at the target. This gives us the user flag.

Privilege Escalation

Enumerating for sudo and setuid binaries on the file system, there was no finding apart from the presence of the setuid binary su. Looked at the bash rc and history files. The history file contained the following interesting entries →

perl -le 'print crypt("Password@973","addedsalt")'
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd

Checked the permissions of the /etc/passwd file and indeed the user Trunks owned the file. This allowed direct manipulation of the file. Therefore, added the above entry to the passwd file. Then logged in as Tom using the password that was encrypted in the above commands.

This gave the root shell and thereby the root flag.

This post is licensed under CC BY 4.0 by the author.