, ,

Pwned: 1



  • Enumeration will lead to hidden directories
  • Find a direcotrie list and re enumenrate the web server
  • Examine the source code to find FTP credentials
  • Access FTP to find a private key
  • Once access is gained exploit the script with code injection and bind a shell
  • Use docker exploit to gain root access


Run nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

Port 80

A clue found on port 80 source code.




Found some kind of directory list.

Use that list to enumerate the web server again.

Found a page.

source code of /pwned.vuln

Unable to get anything from the page. I tried using the creds on the ftp server.
Download both files.

The files contains a note stating a potential user name and a private key.


User access gained.

Found the first flag.

Found a note that has potential user names.

Check sudo permissions

Found the messenger script in the home directory.

We can run sudo -u selena /home/messenger.sh to interact directly with the selena user. Let’s use a bind shell to connect.

Selena access gained.

We find the second flag.

Privilege escalation

After some trial and error I resorted to linpeas. I missed out on the ID in the beginning. Selena user is able to use docker.

We search docker exploit on GTFObins.

Run the script and root user is gained.

Found the final flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: