Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
suecho"10.10.22.231 wgel.thm">>/etc/hostsmkdirthm/wgel.thmcdthm/wgel.thmmkdir{nmap,content,exploits,scripts}# At the end of the room# To clean up the last line from the /etc/hosts filesed-i'$ d'/etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.
Of course, start to check information scanning open ports:
remembering that we've user and id rsa, first take permission to id_rsa file and try login:
chmod600id_rsassh-iid_rsajessie@wgel.thm
We're in, try to find user.txt flag using find command:
find/-typef-iname"*flag.txt"2>/dev/null
🚩 Flag 1 (user_flag.txt)
057c67131c3d5e42dd5cd3075b198ff6
Task 4 - What are the contents of root.txt?
We can do sudo -l command to discover user's permissions.
We can run /usr/bin/wget as root. Perfect, time to go to GTFOBins (https://gtfobins.github.io/) and find our exploit.
unfortunately, it doesn't work!
Checking on google, we find this good article that suggests to use post-file option of wget command, to send the content of any file.
More probably root flag there're in root path and its name will be similar than user_flag.txt, then, we can try to setting post-file option: —post-file=/root/root_flag.txt, add our IP and open a listen session with netcat to receive file.