First, we enumerate the target IP with Nmap:
We found port 8080 is open, and port 80 seems like a decoy.
Take note: SSH is available on port 22.
We checked the version of the service and Googled for a PoC.
Boom! We found CVE-2025-24893.
Now, use the PoC online to get a reverse shell.
[HINT] Adjust the command so you do not get a broken shell.
BOOM! We got it on our listener:
After exploring the target files, we found hibernate.cfg.xml.
Let's try grep now:
Nice! We found passwords. The first one looks suspicious, so I tried su oliver → failed.
Let's try SSH:
✅ Now we can get the user flag.
Host your directory containing linpeas:
Use wget from the target shell to install it:
Make it executable and run it:
We found ndsudo. Let's see if we can run it:
Yeah! I can as oliver user.
After googling, we learned it executes specific commands from $PATH.
We tested with ndsudo nvme-list → command not found.
We create a poc.c file to get a root shell:
Transfer it to /tmp/ on the target (we have write access):
Make it executable and update $PATH to locate our file:
After updating $PATH, ndsudo nvme-list executes our file → root shell obtained!
🎯 Goal achieved: get the root flag.
💡 Tip: Try to understand why it worked. Don’t just copy-paste — curiosity is what makes a hacker great.