Open ports are:

````
80
22
139
445
8009
8080

````

The question asks the following : What is the name of the hidden directory on the web server(enter name without /)?

Usually when we enumerate web servers we can use a various of tools, my choice is gobuster and using the following command we can find the hidden directory which is called development.

Using the following command we can find the hidden directory:

gobuster dir -u http://10.10.14.221/ -w /usr/share/wordlists/dirb/common.txt

Next it’s asking us to bruteforce it, and get the username and password.

For more enumeration we can use Enum4Linux :

and by running Enum4linux we found out two users as follows :

trying the username in the question “ What is the username” jan turns out to be correct.

Next is to crack the password, we can try to crack it using hydra and the service we are going to use is SSH!

using hydra in the following command:

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.14.221

after waiting a bit we successfully found a match for the password associated with jan !

after getting the foothold and searching a bit using linpeas for privilege escalation i found out a ssh file for another user :

but the id_rsa is password protected, here we use john the ripper for getting the password.

by cracking the password we get the credentials for the second user, the password is beeswax

by getting the foothold on the system using the other user, we find the last password.