Nmap Output:

 

 

Dirb output: /admin

 

 

Login page.

 

 

When we look at the source code, we see the username.

 

 

We get our values with burpsuite&foxyproxy in order to do bruteforce with hydra.

 

 

sudo hydra -l admin -P rockyou.txt 10.10.69.91 http-post-form “/admin/:user=admin&pass=^PASS^:Username or password invalid”

 

 

We learned the password with the hydra. Now we can login.

 

 

After logging in, we are given john's ssh key.

 

 

Download the key with wget

 

 

The key is decrypted with the following command. And Passphrase is obtained.

 

 

Now we can login

 

 

We get user flag.

 

 

 

Now that we can run the cat command with sudo, we can print the shadow file and crack the root password.

 

Actually, we do not need to obtain the root password to print the root.txt flag at this stage. Sudo cat /root/root.txt is enough, but the machine asks us for the root password. So we will crack the root password.

 

 

Let's copy all the hashes to the local machine and break them with hashcat.

 

hashcat –force -m 1800 -a 0 hash rockyou.txt

 

 

now we are root