Nmap Output:

 

 

Ftp Connection:

 

 

When we logged in ftp as anonymous we can get 2 files. an id_rsa key and note.txt files.

 

We can see the errorcauser username in the note.txt file. We also understand that errorcauser has backed up the id_rsa key for himself.

 

Then we can crack this RSA key with John.

 

 

Now we can login ssh as errorcauser with his id_rsa and the passphrase that we cracked with john.

 

 

If we log in to ssh, the user's note says: we can only access the web service locally. then we do local port forward

 

First, let's learn our own http port.

 

 

by the way dont forget to answer the questions

 

 

SSH Tunneling

sudo ssh -i id_rsa -L 80:127.0.0.1:80 errorcauser@10.10.219.135

 

Now that we have done ssh tunneling, we can view the website.

 

 

nmap output:

 

 

We can see two vulnerabilities in the nmap scan we made with the script. 1: duplicator 1.3.26 2: wp-file-manager 6.0

 

If we search for these two vulnerabilities on the exploitdb site, we can find the desired CVE values.

 

The exploit we will use is wp-file-manager.

 

 

If we make the necessary settings, we can easily get a shell.

 

user.txt

 

 

find / -type f -user cth -exec ls {} + 2>/dev/null

this is a Linux command that searches for files owned by the user "cth" and then lists those files using the ls command while redirecting any error messages (stderr) to /dev/null.

 

 

The file at the bottom line may interest you.

 

 

The script ran while looking at the contents of the file. We see the user's old password. and the script changes the user's password.

 

If we change the last digit of the password as the machine author told us, we can find the user's new password.

 

 

With the sudo -l command, we see that the user can run everything with the sudo command.

 

Then there is no need to wait. Let's use the cat command directly.