2971f3459fe55db1237aad5e0f0a259a41633962
543d3e087a6764fbeb3d42f58c59b78e201e7f69
4eedbe365eede0a18ab90b63c209284dd653add9
6bf7c50b228c4672b590615b5cbcb73bb44614fd
185d65d0fd6049385ab53eae8be28b2c79023bc2
e075fab32dea389109b4a0023ffe9b4fb87d2feb
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 45:66:62:34:f1:21:bf:8b:43:18:fb:24:a7:f3:29:76 (RSA)
| 256 1c:2a:2e:e4:e8:ea:cc:ec:a5:c4:44:d0:18:75:24:34 (ECDSA)
|_ 256 24:1a:99:37:27:53:a4:ce:0e:30:d4:14:d0:68:df:2b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Since there is nothing on port 80 home page, so we do a quick directory fuzz
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 10.150.150.27 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.hta (Status: 403) [Size: 278]
/cart (Status: 301) [Size: 313] [--> <http://10.150.150.27/cart/>]
/index.html (Status: 200) [Size: 10918]
/master (Status: 301) [Size: 315] [--> <http://10.150.150.27/master/>]
/server-status (Status: 403) [Size: 278]
Here we found our FLAG61 at /cart
Also we found a vhost crm.pwntilldawn.com adding that to /etc/hosts
10.150.150.27 crm.pwntilldawn.com