Interesting machine, thanks sML@HackMyVm.
Port 80 is unavailable right now. Port 70 is not http, but gopher (which is not familiar).
We can use firefox to visit port 70. Also, we can use "gopher" client.
Download howtoconnect.txt and check it.
It's like knock-knock ports. We do knocking.
sudo hping3 -S 192.168.56.100 -p 4767 -c 1;sudo hping3 -S 192.168.56.100 -p 2343 -c 1; sudo hping3 -S 192.168.56.100 -p 3142 -c 1
Scan ports again, port 80 is now open.
Scan port 80, from robots.txt, we get nginx server config file.
Add henry.eighty.hmv and susan.eighty.hmv to /etc/hosts, and scan both vhost.
Now we know there is lostpasswd.txt at http://susan.eighty.hmv/web/.
And we get password of susan.
We need to get .google-auth.txt. But from nginx config file, we know that we can't directly visit /home/susan/secret/.
We can use a classic "double dot" error of nginx.
Install "google authenticator" app on mobile phone or simulator, enter the secret key of first line.
Then we can get a time-based verification code.
Ssh login as susan, enter password from "lostpasswd.txt", and enter verification code from google authenticator.
Search SUID file, there is a file named "doas". And there is no sudo.
From google, we know doas have same functions of sudo.
In order to know how to run doas, we search file that has "doas" in filename.
Then we can know there is doas.conf.
From the conf file, we know we can only run gopher, which is client of a gopher browser.
We use gopher to connect localhost port 70.
doas gopher gopher://127.0.0.1
At main page, we press "?" to read help. Then we notice this.
After we press "$", we get a shell with root priviledge.