This is a machine that allows you to practise web app hacking and privilege escalation using recent vulnerabilities.
PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 61 80/tcp open http syn-ack ttl 61
We are initially redirected to the
/auth end point, looking at this we see there is a CMS named
cockpit. Whatweb doesn’t give us the version but we can still use the output:
We have a login portal using express. There’s not a lot we can immediately find however after a little googling, we google the CMS and see there’s a potential vuln from metasploit:
It’s easy to use, we open us metasploit and use:
If we run this without setting the user variable, we get the following:
We set the user variable as
admin, re-run the exploit and a shell:
Our first flag is in our first directory.
We have one user,
stux. In his home directory we see a file called
.dbshell containing a login and flag:
We have exiftool that we can run as root, we can use it to grab root’s flag:
sudo exiftool -filename=/tmp/root_flag /root/root.txt