Tenten -

Target Enumeration:

OS: Linux
User: e5c7ed3b89e73049c04c432fc8686f31
Root: f9f7291e39a9a2a011b1425c3e08f603

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Vulnerability Exploited:

Username enumeration via wordpress
Id_rsa file hidden within .jpg file
Weak password on ID_rsa file

Privilege Escalation:

User allowed to run /bin/fuckin as sudo user to execute /bin/sh

Exploiting the host:

Brought back the user takis
Bruteforce while enumerating the webapp
Found a jobs listing on the webapp
File upload present but not yet able to upload any files
Path is so iterate through all to see if we can find anything else with burp intruder
Found an access granted page
After searching further with the intruder we found the hackeraccessgranted.jpg file:
Steghide on the image revealed an id_rsa key
We chmod the file with 400 permissions and try to login via ssh as the user takis with the key file.
This did not work so we extracted the hash from the id_rsa file and cracked it with john
We now had the password “superpassword”
We use that to login via ssh and collect our user file
Checking local permissions we found we were allowed to run /bin/fuckin as the sudo user, we inspected the file anda found the first second and third arguments would allow us to run other shells, we then ran it with sudo /bin/fuckin /bin/sh to get a root shell.