Scanning the box with “nmap -A -T4 -p- 192.168.8.156 -vv”
There is a file caller “secret.txt” visiting this file we can see a base64 code that we can encode it:
It has an SSH private key, and the only thing we need now is the username, but first let’s save this file and name it id_rsa and give it a permission of 600:
Back to the nmap results we can see that port 80 is open so let’s visit the webpage:
As we can see from the webpage there is only one username which is “oscp”, we already have the SSH key so let’s login:
chmod 600 id_rsa
ssh -I id_rsa oscp@192.168.8.156
We got in, now we need to break from the shell jail and enumerate to root:
This was very straight forward we became root just running “/bin/bash -p”
And we done!!
Hacking Tips & Tricks - Labs Walkthrough - Infosec Articles 