# Nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-12 12:51 EST
Nmap scan report for challs.dvc.tf (
Host is up (0.0060s latency).
Not shown: 1000 filtered tcp ports (no-response)
51022/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:94:04:6e:f3:e6:22:f1:74:2b:f3:d2:62:82:bb:f1 (RSA)
| 256 69:6b:8f:f8:49:b1:a6:1d:87:64:a0:bc:4f:c8:77:d7 (ECDSA)
|_ 256 1c:25:bf:62:06:89:a1:f1:ac:99:25:d9:96:9c:f8:de (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: bridge|VoIP phone|general purpose|WAP|broadband router|specialized
Running (JUST GUESSING): Oracle Virtualbox (92%), Cisco embedded (89%), Linux 1.0.X (88%), QEMU (88%), Sitecom embedded (87%), ZyXEL embedded (87%), Casio embedded (87%), GNU Hurd (85%)
OS CPE: cpe:/o:oracle:virtualbox cpe:/h:cisco:unified_ip_phone_7912 cpe:/o:linux:linux_kernel:1.0.9 cpe:/a:qemu:qemu cpe:/h:sitecom:wl-174 cpe:/h:zyxel:b-3000 cpe:/h:zyxel:prestige_660r cpe:/o:g
Aggressive OS guesses: Oracle Virtualbox (92%), Cisco IP Phone 7912-series (89%), Linux 1.0.9 (88%), QEMU user mode network gateway (88%), Sitecom WL-174 wireless ADSL router or ZyXEL B-3000 WAP
(87%), ZyXEL Prestige 660R ADSL router (87%), Casio QT-6000 or QT-6100 point-of-sale machine (87%), GNU Hurd 0.3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
1 1.40 ms
2 1.42 ms
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.95 seconds
There is `ssh` service running.
# Website
Website contained some sort of Top Song list, and used two `GET` parameters to filter it.
When changing parameter `playlistTop` to something nonexistent like `asdf` server returned error.
Using `php://filter/convert.bse64-encode/resource=` local file inclusion was performed.
This allowed to read `leonardo` user `private ssh` key.
# SSH Connection
Using all obtained information login as user `leonardo` via SSH was possible