Trust
| Platform | Dockerlabs |
|---|---|
| OS | Linux |
| Difficulty | Easy |
| InitialVector | SSH Bruteforce |
| Privesc | sudo vim |
Information Gathering¶
We began by pinging the target host to verify connectivity and inspect the TTL value in the response.
A TTL of 64 is commonly associated with Linux systems, so this gave us an initial indication that the target was likely running Linux.
Next, we performed a full TCP port scan with Nmap to identify exposed services and gather version information.
nmap -sV -sC -p- --min-rate 5000 172.18.0.2 -n -Pn
The scan revealed the following open ports:
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.57 ((Debian))
At this point, our attack surface was limited to SSH and HTTP, so we proceeded to enumerate both services.
Enumeration¶
Port 80 - HTTP¶
We first visited the web server hosted on port 80 to inspect the available content.
The page displayed only the default Apache landing page, which did not provide any immediately useful information.
Since no interesting content was visible manually, we used Gobuster to enumerate directories and files on the web server.
gobuster dir -u http://172.18.0.2/ -w /usr/share/wordlists/dirb/common.txt
This initial wordlist did not reveal anything particularly useful, so we switched to a larger wordlist and expanded the scan by including common file extensions and enabling recursive discovery.
gobuster dir -u http://172.18.0.2/ -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x .php,.txt,.html -r
By adjusting the wordlist and adding extensions plus recursive enumeration, we were able to identify additional content within the web server.
Among the discovered resources, we found the file:
secret.php
When browsing to this page, we found a message that read:
“Hola Mario, esta web no se puede hackear”
This was an important clue, as it suggested the possible existence of a valid user named mario.
Port 22 - SSH¶
Before attempting authentication attacks, we checked whether the detected SSH version had any known public exploits using Searchsploit.
No relevant exploit was found for OpenSSH 9.2p1, so direct exploitation did not appear to be a viable path.
Given the clue discovered on the web server, we decided to test whether mario was a valid SSH user and attempted a password brute-force attack using Hydra.
hydra -l mario -P /usr/share/wordlists/rockyou.txt 172.18.0.2 ssh
The attack was successful and revealed valid credentials:
Username: mario
Password: chocolate
We then used these credentials to log in via SSH.
After accepting the host key and providing the password, we obtained shell access.
export TERM=xterm
This gave us an interactive shell on the target system.
Privilege Escalation¶
Once inside the target as user mario, we checked the user's sudo privileges.
sudo -l
Since vim can be abused to spawn a shell, we used it to escalate privileges to root.
sudo vim -c ':!/bin/bash'
Conclusion¶
In this machine, initial reconnaissance revealed two exposed services: SSH and HTTP.
Web enumeration uncovered a hidden file, secret.php, which leaked the username mario. Using that clue, we performed a password brute-force attack against SSH and obtained valid credentials. After gaining access to the target system, we discovered that vim could be executed with sudo, which allowed us to spawn a privileged shell and fully compromise the machine.