From nmap, there are ssh, http and https service.
And from its vulnerability script, it tells us that it has a potential ssl-heartbleed vulnerability.
This is the web page.
There are some scripts for heartbleed, I used the first one.
It dumps the memory, I named it
dump.bin, and see something about
The page exists, and it can decode strings for us.
I copy the string
dump.bin and submit, we get a password like string.
http_enum, it indicates that there is a potential interesting folder
/dev/, and it contains a file
I download it and reverse those hex string to plain text. It is a RSA private key.
I try to ssh as user
hype with this key and enter the passphrase from
decode.php. We successfully get in, and get user.txt.
There is a strange directory
/.devs, and it contains a file
dev_sess. It is a server socket session file. I run
tmux -S /.devs/dev_sess to attach it.
And we are root.