Nmap

As always we start with an nmap

# nmap -p- -T4 -sV -sC 10.10.242.68 -oA nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-09 01:03 GMT
Nmap scan report for 10.10.242.68
Host is up (0.018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 30:83:2a:fb:4c:5e:4c:e5:12:30:a1:84:fa:78:cb:53 (RSA)
|   256 64:bc:38:70:65:55:a2:64:19:7d:ee:21:74:16:1e:24 (ECDSA)
|_  256 d7:82:61:f6:a1:42:3c:d3:46:36:cb:6e:ce:41:b8:c6 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.91 seconds

Website

Only to 2 ports so we will go straight to the website. It’s a faily simple page without any links anywhere.

However looking at the source code does give a clue

Gobuster

Given the server is running apache we can guess that php might be used and add that along with a few other extensions to the query.

# gobuster dir -u http://10.10.242.68 -w /usr/share/wordlists/dirb/common.txt -x php,html,zip,bak,txt  
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.242.68
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,bak,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/.hta.html            (Status: 403) [Size: 277]
/.hta                 (Status: 403) [Size: 277]
/.hta.bak             (Status: 403) [Size: 277]
/.hta.zip             (Status: 403) [Size: 277]
/.htaccess.bak        (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htaccess.txt        (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htaccess.zip        (Status: 403) [Size: 277]
/.hta.txt             (Status: 403) [Size: 277]
/.hta.php             (Status: 403) [Size: 277]
/.htaccess.html       (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htpasswd.zip        (Status: 403) [Size: 277]
/.htpasswd.bak        (Status: 403) [Size: 277]
/.htpasswd.html       (Status: 403) [Size: 277]
/assets               (Status: 301) [Size: 313] [--> http://10.10.242.68/assets/]
/denied.php           (Status: 302) [Size: 0] [--> /login.php]
/index.html           (Status: 200) [Size: 1062]
/index.html           (Status: 200) [Size: 1062]
/login.php            (Status: 200) [Size: 882]
/portal.php           (Status: 302) [Size: 0] [--> /login.php]
/robots.txt           (Status: 200) [Size: 17]
/robots.txt           (Status: 200) [Size: 17]
/server-status        (Status: 403) [Size: 277]
Progress: 27684 / 27690 (99.98%)
===============================================================
Finished
===============================================================

It looks like there might be an authenticated part of the site. Working our way through the results - there is nothing out of the norm in the assets directory, the login.php is asking for a username and password

And the robots.txt does not contain a normal entry.

Login to site

We already have a username from the source code on the main page, so using that and the password found in the robots.txt gets us in. Once logged in we have a command panel section. The other menu items just show as denied.

Whilst we can execute some commands like ls, we can’t cat the 2 interesting txt files it returns.

Since we are in the web root we can just visit them directly from the browser

But lets get a reverse shell to make things easier. It took a couple of attempts to find a working one

Shell

With the shell we can now cat files which makes life simpler. Looking around at users we can see there is one called rick and we can just cat out the 2nd ingredient to answer to room question.

After finally to get the 3rd infredient we check sudo privleges and see that we have full rights. So look in the root home directory, and thats where the final answer is