Before i begin, this machine is defiantly a troll
Let’s scan the host with nmap and see what information related to it’s open ports
Nmap –A –T4 –p- 192.168.1.5 –vv


dirb came with /secret

I cat , strings and exiftool both the pictures but came with nothing .
Next let’s try to connect to FTP service as nmap says it’s anonymous login

After logging in a listed the files and found a lol.pcap file and retrieved it

Viewing the file with tcpick -C -yP –r lol.pcap found a path sup3rs3cr3tdirlol

Visiting the path gave us a new file to download roflmao its executable file , it strings it and found some information inside it but what we need from it is another path 0x0856BF



Inside the directory is two folders inside each is text file one is the passwords and another with a username
Downloaded the two file Pass.txt and which_one_lol.tx and used Hydra

Username is overflow worked with the password (Pass.txt), BUT trying to login was so hard and not easy, as the host keeps blocking the login and sometimes crashing and weird things happening while logging in


Lets find out what the host kernel and version is and exploit that

Ok now we have this information lets search for exploit using searchsploit on our machine

Now lets copy the file to the host machine using SimpleHttpServer on out machine and using wget on the host machine to copy the file into the tmp folder

Now compile the file with any name and run it

As you can see we got root shell and changed directory to /root and there is a file with the name proof.txt, view it and that’s it.