writeup

A rated easy box, made harder if you’re not familiar with the app/port in question, at least that’s my excuse for struggling a bit! Root was clever, simpler than I made it, rewarding RTFM :smile:

A fun box, it took me an embarassing amount of time to get the privesc to root working, despite knowing exactly what I needed to do! A box that rewards good thorough enumeration

Recon to foothold We’ll start with a comprehensive scan rob:ContainMe/ $ sudo masscan -p1-65535,U:1-65535 10.10.235.206 --rate=1000 -e tun0 [sudo] password for rob: Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-11-19 14:32:46 GMT Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 2222/tcp on 10.10.235.206 Discovered open port 8022/tcp on 10.10.235.206 Discovered open port 22/tcp on 10.10.235.206 Discovered open port 80/tcp on 10.10.235.206 And now an nmap for the found ports...

Another good box, perhaps more of a medium level than hard. Initial foothold needs long patient enumeration, wordlist choice is pretty key

A good box that rewards thorough enumeration, medium level is about right although privesc to root is pretty simple

Recon to foothold We are given an employee’s Twitter account, hakanbey, so let’s start there and look for potentially useful snippets We get a hostname to add to /etc/hosts We find an invitation to send an XSS or similar attack That’s about all we can extract from the Twitter account, let’s have a look at the deployed machine now, starting as always with a scan...