FLAG68

Enumeration

22/tcp  open  ssh      OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 a6:22:2a:a8:f5:12:ee:25:8e:67:90:c9:79:ec:2a:94 (RSA)
|   256 96:a6:ee:33:7a:ac:e8:08:38:21:72:16:8a:65:1a:24 (ECDSA)
|_  256 4e:16:6c:96:8c:5b:bb:fe:e4:40:e9:8d:8e:05:6f:4c (ED25519)
80/tcp  open  http     Apache httpd 2.4.41 ((Unix) OpenSSL/1.1.0l)
|_http-title: Did not follow redirect to <https://10.150.150.48/>
|_http-server-header: Apache/2.4.41 (Unix) OpenSSL/1.1.0l
443/tcp open  ssl/http Apache httpd 2.4.41 ((Unix) OpenSSL/1.1.0l)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=example.com
| Not valid before: 2012-11-14T11:18:27
|_Not valid after:  2022-11-12T11:18:27
|_http-server-header: Apache/2.4.41 (Unix) OpenSSL/1.1.0l
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Can’t do gobuster fuzz, so we change to dirb

---- Scanning URL: <https://10.150.150.48/> ----
+ <https://10.150.150.48/app> (CODE:302|SIZE:0)                                        
+ <https://10.150.150.48/fonts> (CODE:302|SIZE:0)                                      
+ <https://10.150.150.48/images> (CODE:302|SIZE:0)                                     
+ <https://10.150.150.48/index.html> (CODE:200|SIZE:5529)                              
+ <https://10.150.150.48/layouts> (CODE:302|SIZE:0)                                    
+ <https://10.150.150.48/translations> (CODE:302|SIZE:0)

Exploitation

Privilege Escalation