Start by scanning the target with nmap -A -T4 -p- 192.168.1.5 -vv

Port 80 is open ans we scan it with dirb http://192.168.1.5 /usr/share/dirb/wordlist/big.txt


We got a page with some usernames and passwords, i viewed the page source and i found something interesting which is a decrypting language “ROT47”:

There are one username and password that they looked suspicious “D92:=6?5C2” and “4J36CDA=@:E`” so i searched for ROT47 decrypting sites and i decrypted them to become “Shailendra” and “cybersploit1” and i used them to login via ssh and it worked:

There is a “hint” file we can view it:

Ok now this is easy to priv to root from docker, all we have to do is to run this command:
docker run –privileged –interactive –tty –volume /:/host bash
And then we go to /host/root and find the flag.txt
