InfosecPrep
Started by running a TCP scan via Nmap.
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 17:27 IST
Nmap scan report for 192.168.106.89
Host is up (0.071s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91:ba:0d:d4:39:05:e3:13:55:57:8f:1b:46:90:db:e4 (RSA)
| 256 0f:35:d1:a1:31:f2:f6:aa:75:e8:17:01:e7:1e:d1:d5 (ECDSA)
|_ 256 af:f1:53:ea:7b:4d:d7:fa:d8:de:0d:f2:28:fc:86:d7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.4.2
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/secret.txt
|_http-title: OSCP Voucher – Just another WordPress site
33060/tcp open mysqlx MySQL X protocol listener
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.57 seconds
Next, I visited the web page at port 80.
Here it was stated that
oscpwas the ONLY user on the box.Next I checked out
robots.txtand found a disallowed entry namedsecret.txt.secret.txthad a huge block of base64 encoded text.
I decoded it and turns out, it was an SSH key.
I copied it on the attacker machine and changed the permissions of the file containing the key to
600bit. I connected to the target asoscpuser using the key.
I found the first flag in the working directory
Privilege Escalation
Next, I enumerated SUID binaries and turns out that
/usr/bin/bashhad the sticky bit set.I used
/usr/bin/bash -pand got the root shell.
Last updated