PrivEsc

At this point, We have done quite a lot and have been able to somewhat establish a foothold on our target. We however have not achieved our objective as we haven't pwned the box yet.

To do this, we need to elevate our privileges.

With the much ground we have covered, it is easy to forget that we have only investigated port 80/443.

Let's try investigating the next service: FTP. First I begun with trying the low hanging fruits: anonymous login. I however hit a dead-end since anonymous login was disabled.

Now since we have a username and a password list, let's try a brute force attack using Hydra

hydra -l ragnar -P secrets.txt ftp://10.0.2.15

Hydra found a valid password. Nice. Now our quest can continue.

Let's switch to user Ragnar and try the found FTP password for authentication

It worked!

I continued combing through the directories to see if I could find anything useful. At Ragnar's home directory, I found an interesting file.

I tried reading the file to see what it contained.

Cat seems not to be working correctly. Let's execute it from its binary location.

We get root's hash.

I tried cracking it using Johntheripper but was not successful.

Next, I decided to investigate the hidden files in ragnar's dome directory

On reading the file, I discovered that there may be another bashrc file in the system-wide /etc directory

I decided to investigate this file as well.

On reading the file's contents, I found base64 encoded string

Decoding the string gives a link to a wikipedia page on Kevin Mitnick

This could be a hint for root's password.

I tried switching to root using kevinmitnick as the password.

It worked! And with that we have successfully gained root access/ pwned the box.

To get the flag, I navigated to root's home directory and found the flag in the file named 'hello'