# HackMyVM-Pwned
## NMAP
```
Nmap scan report for 192.168.1.7
Host is up (0.00020s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!
MAC Address: 08:00:27:56:AD:A9 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds
```
## PORT 80
Looking at the source we can see a comment at the bottom of the page
I ran gobuster
From fuzzing the directories `/nothing` led me to actually nothing
However `/hidden_text` was intersting.
Which was like wordlist or maybe there directories exists on the machine.So using this wordlist it came back with a `pwned.vuln` file
Looking at the source code again
These were infact credentials for ftp server
The note says
```
Wow you are here
ariana won't happy about this note
sorry ariana :(
```
This is private key belongs to user `ariana` so we can ssh into the box with this.
Run `sudo -l` to see what we can run as root or as other user
Transfer linpeas on the box
Right at the start it says that the user is `docker` group and we can privesc abusing it
Visting GTFOBINS for any privesc on docker
And we are root !!!
fb8d98be1265dd88bac522e1b2182140
711fdfc6caad532815a440f7f295c176
4d4098d64e163d2726959455d046fd7c