, ,




  • Use gobuster to enumerate the webserver
  • Use ffuf to enumerate parameters
  • Command parameter able to view restrictive information like passwd file and rsa keys
  • RSA key is password locked , use ssh2john to crack the hash
  • Observe write permission in passwd file
  • Edit root user password in passwd with hash generated from openssl to gain root access


Run nmap scan to find for open ports.

port 80

Run a gobuster scan to find for hidden directories.

The secret folder shows a 301 status. Let’s enumerate that folder.

Let’s use ffuf to enumerate the evil.php folder.

ffuf -c -r -u '' -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 0

Add the parameter found in ffuf and we can see the passwd file.

The user mowree is found.

The parameters only allows sensitive information after trying out different methods , we are able to view the private key for the user.

We still a password for the private key.

Use ssh2john to get the hash

Password found


ssh into the mowree account.

First flag found.

We are unable to find sudo permission but a list of /etc/passwd file indicated we are able to write the file.

Privilege escalation

Let’s edit the root user in the passwd file.

First create a password hash with openssl.

Switch to the root user with the new password.

Final flag is found.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: