Toppo: CTF walkthrough
We can find with arp-scan the IP address of the VM.
Then, we can use nmap to find open ports and running services.
Publicly available informations
According to our nmap scan, we can see that a website is running in an Apache 2.4 server.
So, the first thing that we can do is to enumerate directories and sub-directories. For that, we can use gobuster.
After few seconds, we can find a really interesting directory: /admin
In this directory we can find a text file that contains some SSH credentials.
We can use those information to log in the system via SSH.
Username: ted (guessing)
Due to the fact that the sudo command is unavailable, if we want to know if the ted user have weird permissions we have to read the /etc/sudoers file.
File, which tell us that we can execute with root privileges and without password the /usr/bin/awk command.
Let's try simple commands in order to know if that can lead to a privilege escalation.
As we can see, while using the awk binary we have root privileges (euid=0), so, we can ad our own root user.
Finally we can read the flag.