I first did a nmap scan of the network to find the IP address of the target machine. I did a ping scan using 'nmap -sn', which tells nmap to not do a port scan on the IP addresses.

I then did a port scan for all ports, using -sV to find what services are running on what ports and what versions of the services were running.

Port 22 for SSH, 80 for http, 139 and 445 for SMB, 3306 for mysql, and port 8081 for another web page. I opened a web browser and went to the web page to see if there was anything I could find.

I looked through the page source and found that there was a username and password in there.

I now needed to find a wordpress login page. I went to the /wp-admin directory, typically the login page for a wordpress website, but it wasn't there, at least for the web page running on port 80. I did a scan of directories, using dirb, and found no other interesting directories.

I also did a dirb scan of the web server running on port 8081, and did find the /wp-admin directory.

When I went there, however, I only received a page that said the file was not found.

I took a look at the URL, and found that I needed to edit my /etc/hosts file to map the target IP address to wp.looz.com and looz.com. Once I did that, and restarted my browser, I was able to get to the login page.

I imputed the username 'john' and the password found in the comment, and was in the admin dashboard.

In the users section, I found there was another user that had administrator role, 'gandalf'.

I used hydra to brute force the SSH login. As a note, this took a long time (a little under an hour), so if you are doing this, be patient and don't freak out if it isn't immediate.

I used that username and password to login via SSH.

Gandalf couldn't do much on the target machine, but there was another user, Alatar, found when I looked at the /etc/passwd file.

Alatar had a directory where the user flag was located, and gandalf was able to open it.

There was also a directory titled Private, and in there was a binary titled shell_testv1.0. I looked at the binary and saw that it was owned by root, and it was world executable.

I executed it, just to see what it does, and I became the root user. From there, I went to the /root directory and got the root flag.