Seppuku

  1. Ran a TCP scan via Nmap

# Nmap 7.95 scan initiated Tue Oct 14 10:12:45 2025 as: /usr/lib/nmap/nmap -sC -sV -p 21,22,80,139,445,7080,7601,8088 -oA nmap 192.168.106.90
Nmap scan report for 192.168.106.90
Host is up (0.072s latency).

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
22/tcp   open  ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
|   256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
|_  256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
80/tcp   open  http          nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
139/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn   Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/empowerid LiteSpeed
|_ssl-date: TLS randomness does not represent time
|_http-server-header: LiteSpeed
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
|_http-title: Did not follow redirect to https://192.168.106.90:7080/
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after:  2022-08-11T06:51:35
7601/tcp open  http          Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Seppuku
8088/tcp open  http          LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Seppuku
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: seppuku
|   NetBIOS computer name: SEPPUKU\x00
|   Domain name: \x00
|   FQDN: seppuku
|_  System time: 2025-10-14T00:43:04-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2025-10-14T04:43:04
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct 14 10:13:11 2025 -- 1 IP address (1 host up) scanned in 26.12 seconds

  1. Here several services like FTP and SMB were running on the target but nothing was found in them upon enumeration.

  2. I opened the webpage at port 80 but it showed a prompt for username and password which I didn't have then.

  3. Next, I checked the web server running on port 7601 and found this cryptic image

  1. I brute-forced the directories on this port via Gobuster and found the following.

  1. I checked the keys subdirectory and found the following

  1. Here both the files contained the same SSH key as follows.

  1. This one was interesting, next I visited the /secret subdirectory.

  1. The hostname file had only seppuku written inside it which could mean that it was one of the users on the target.

  2. passwd.bak had a list of user accounts and information.

  1. Similarly, shadow.bak had a hashed password.

  1. It was made clear here that this approach was a rabbit hole. Initially I was thinking of dehashing the password and use it further.

  2. We also had a password.lst file which was a small wordlist of keywords which maybe would be used to bruteforce something.

Foothold

  1. My first approach was to use the obtained SSH key and login to the target from user seppuku. I tried to do so but it didn't work hence it was evident that a password was required.

  2. This is where the wordlist came in. I ran Hydra to bruteforce the password on the target's SSH service for seppuku user.

  1. The password for seppuku was obtained successfully! I used it to login to the target and gain an initial foothold.

  1. The first flag was successfully obtained.

Privilege Escalation

  1. I was inside a restricted shell by default, and due to that I was unable to change directories or use / slash in my commands.

  1. To break out of it I copied /bin/bash to my working directory and ran bash from there.

  2. Next, I ran sudo -l and found the following

  1. But I was unable to use it to escalate my privileges.

  2. I checked the user directory of seppuku and found a .passwd file.

  1. This was apparently the password for some user.

  2. Next, I checked the home directory and found that there were two other users on the system named tanto and samurai

  3. I tried logging in to both the users via SSH using the password but it didn't work. Next, I tried switching the user from the foothold and I could successfully login as samurai user.

  4. I ran sudo -l and found the following

  1. As it is stated above, I could run a bin file inside the tanto/.cgi_bin directory with sudo permissions, but I could find no such directory in tanto.

  2. But one approach could be used here. I could create the .cgi_bin directory myself and create a file bin having custom code to escalate privileges.

  3. But to do that I needed to login as tanto user.

  4. Maybe I could use the previously obtained SSH key on either of the two.

  5. I tried logging on to the target as tanto user via the SSH key and I successfully got in.

  1. There was yet again a restricted shell which I broke out of using the same method described above.

  2. I created the bin file and added /bin/bash -p to it.

  3. Next, from the samurai user, I executed the command as follows and gained a root shell.

  1. The next step was to obtain the root flag from proof.txt and that was all for this room.

PreviousInfosecPrepNextFunBoxEasyEnum

Last updated