Let’s run nmap on the target:
There are 2 ports open:
- 22 -> ssh
- 80 -> website
On the web site is run with the elfinder software which is an open-source file manager for web.
There is one file on the website named CredsE.txt which contains credentials encoded with ROT.
We decode it with Cyberchef and get the debian credentials:
We connect as debian and get the user flag.
debian can /usr/bin/python with sudo permissions so the privesc is quite easy.
We’ve got the root flag 🎉