From nmap, there are ssh and http opened.
I further scan all ports, and get port 1337 opened.
This is the web page.
In the source code, there is a comment associated with port 1337.
This is the 1337 port.
myapp, and it seems like port 1337 will echo back what we gave.
I use ghidra to decompile it. There is a buffer overflow.
And there is a function
I create a python script to get the shell with ROP chain.
Execute it, and I get the shell as
user. There is a
.kdbx file and 6 images. They may be the keyfile of the KeePass file.
I create all the potential hashes.
One of them is cracked by hashcat.
Open the KeePass database, I get the root password.
I get permission denied to ssh as root. It may be the restriction from
sshd_config. So I ssh as
user, and switch to root successfully.