Alpine is an easy difficulty machine. Do you wish to go skiing, or maybe to book a two-night trip to the mountain? Then this linux room is for you ! You can access it here.
We start by trying to access the machine’s website on a browser and we get this error — which hints that we need to add the domain name to our /etc/hosts file.
Press enter or click to view image in full size
So we add this line to the end of our /etc/hosts file :
echo "MACHINE8_IP alpine.nyx" >> /etc/hostsNow, the website is accessible :
Press enter or click to view image in full size
We can now do an nmap scan, which confirms that we’ve got ports 80 and 22 open, for http and ssh.
The command for the nmap scan is as follows:
nmap -sC -sV alpine.nyxWe the move on the enumeration part. The website is our main interest.
Using dirsearch, we get the following results :
The login.html page seems interesting.
We try some common credentials, but to no avail. Checking the source code is what opens the door for us :
Using the username/password combination we found, we get access to the profile.html page we previously found. While digging around, we find locked SSH credentials !
Get Soraya Djerrab’s stories in your inbox
Join Medium for free to get updates from this writer.
Press enter or click to view image in full size
And we got the user flag !
We also find a README file, which seems to hold some hints :
This file speaks of another user, we should try to access their home. We find a .git directory, which we enumerate and find an ssh file the users tried to delete. We recover that private key:
Press enter or click to view image in full size
Now, we’re going to try and use that key to log in as sysadmin user :
Press enter or click to view image in full size
We have successfully logged in as sysadmin ! We also check the NOTES.txt file :
It gives us a hint about an “automated” cleaning strategy, which runs every two minutes. This seems like a cron job ! We then search for it and find the cleanup file in /opt/scripts directory:
Press enter or click to view image in full size
Since we have write rights over the file, we add this line to it:
/bin/cat /root/*.txt >/tmp/root_flag 2>/dev/nullAfter waiting for maximum two minutes, we get the root flag !!
And the machine is done ! I hope you enjoyed solving it.