Date
Mar 23, 2025 → Mar 23, 2025
Tag
Nmap
Brute Force
Privilege Escalation Techniques
192.168.140.32
Nmap
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-22 21:27 EDT
Nmap scan report for 192.168.140.32
Host is up (0.063s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8338/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 26.54 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-22 21:27 EDT
Nmap scan report for 192.168.140.32
Host is up (0.076s latency).
All 65535 scanned ports on 192.168.140.32 are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 27.16 seconds
22
try brute force 22


fail
80

I could not get the page normally but I can use scanner to get the resource address and it show below thing which i can access


Use
curl $ip:80
I can extract the html info, so i try write it down as html local file and open it
it is a apache2 default page;
8338

I can access his page
tried easy password but still cant login

no scanning result


We tried to use this exploit but it was unsuccessful. This is likely because the /login page is blocked on this website and redirects directly to the login page. I guess We need to remove /login from the URL.
wait a sec, I forget add the port
The attempt also failed and my guess was incorrect
maybe it is other version, let try find more


when i change to 80 port i works
PE



we found that no crontab we can use, but in home we can see a /etc back up file, so we can see many thing in here

and in the shadow file we found the root password, but it was encrypted

we try to hashcat it
cant but we found other part

which we can try access it

Since it might be a scheduled task, let's try it

Also add this into the file


got the flag.