Japantown

Nmap Result

As seen above and in the robots.txt file, there's a .png image file however, the image didn't render properly.

The file is actually a text file of base64 strings of the actual image. The fixed image is seen below.

Exploring the WordPress service running on port 80. I came across the below post containing a pixelated image and suggesting a tool to unblur the text ( https://github.com/spipm/Depixelization_poc).

The tool was successfully used to de-pixelate the password while using the image found in the robots.txt file as the search image. and I was able to login to the WordPress account as Kim

Got a reverse shell using Pentest Monkey PHP reverse shell payload and setting up a listener on my Kali box using netcat.

Password for user "www-data" was found in file called "password_for_www_data" in /var/www data

Privilege Escalation

Using PSPY (a command line tool designed to snoop on processes without need for root permissions) the below process with PID 8342 was observed. In simple terms, the process tries to download OpenSSH 8.2p1 .deb package from the domain "de.archive.ubuntu.com", waits 60 seconds and then de-packages (installs) the .deb file all while running as root.

In order to exploit this to escalate our privilege two actions needs to be performed.

I need to access stored FQDN to IP of the system (/etc/hosts file) to make request to "de.archive.ubuntu.com" go to our Kali box. luckily (rather intentionally :)) we are able to edit the /etc/hosts file as www-data.
secondly, we need to create our own malicous OpenSSH .deb file with matching name and location as seen in the PSPY output.

As seem below, a reverse shell payload was added to the postinst file which was then built into a .deb package.

As expected, the file is automatically downloads from our Kali and once de-packged on the victim box got us root reverse shell.