🖋️
Cybersecurity Long haul
  • Road to PNPT
  • Book List
  • VirtualBox and OPNsense Setup
    • Installing OPNsense
      • VLAN Setup
        • Configuring OPNsense
          • Interface Configuration
          • Firewall Rules
            • DNS Resolver
              • Import Vulnerable Machine
  • Virtual Hacking Labs
  • VBSetup
  • OSCP Machine List:
  • Vulnhub Walkthroughs
    • Kioptrix 1
    • The Planets
      • Mercury
      • Venus
      • Earth
    • DC Series
      • DC-1
      • DC-2
      • DC-3
      • DC-4
  • HackMyVM
    • Easy
      • Gift
      • Pwned
      • Connection
      • BaseME
      • Hommie
Powered by GitBook
On this page

Was this helpful?

  1. HackMyVM
  2. Easy

Hommie

This says "Enumeration was KEY"

PreviousBaseME

Last updated 1 year ago

Was this helpful?

Nmap results:

Will start with port 21. FTP as anonymous login is allowed.

Looking at .web there is an index.html

So "nobody" is concerned about reverse shells. Well with anonymous logging allowed I would be too!

Lets upload a reverse shell and see if we can get initial access.

After uploading a reverse shell and navigating to the site it downloaded the shell. So it can't be executed.

I then decided to run nmap with the -sU flag on the first 100 udp ports.

Trivial File Transfer Protocol (tftp) is running on port 69. Lets see if we can grab that exposed id_rsa file.

Privilege Escalation

Now that we have initial access it is time to get root.

That first one /opt/showMetheKey looks interesting.

Using the strings command we can see that this binary looks at the $HOME/.ssh/id_rsa and cats it out. So we can change the $HOME environment variable and get roots id_rsa

And we are root. Using the find command we can see where that root.txt file is and get the flag!

Nice! Remember if you can't find a way in on tcp ports start enumerating udp ports. Do a short port range as udp scanning can take a very long time.