K2
Challenge: K2
For this challenge we are going to attack a Linux box named after one of the deadliest mountains K2. Although this particular mountain has seen more succesfull summit attempts recently, it is interesting to note that more people have been in space than on the summit of the K2. Now let's get started.
As always we start with an AutoRecon against our target, IP address 10.10.163.65.
We surf to the website 10.10.163.65 and also add k2.thm to our /etc/hosts.
adjust_timeouts2: packet supposedly had rtt of -230693 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -230693 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1306018 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1306018 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1305974 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1305974 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -580824 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -580824 microseconds. Ignoring time.
Nmap scan report for 10.10.163.65
Host is up, received user-set (0.022s latency).
Scanned at 2025-11-02 17:03:15 GMT for 30s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fb:52:02:e8:d9:4b:83:1a:52:c9:9c:b8:43:72:83:71 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCU/bAeEwvt9qMDYh3J53+AtBen+rwRzjnA60m4NspTpzmqcIFo+1we5pWklKfiG1NNFJE9P9Stfzjh9pRi35NSr1CSxzJdbBm85/gpdTK1ctPoVEZY3ts0AxJivIwiARxudMKLJmHsx+vNgWAILpn6rZby1glA/y88uzDQ+DDlbDOnfjiHp9AkRQosxhKNN+byNXkUB8Y4ZZgrkgFwQ8TCQRyMrnlyrLQzNHpWN50GNAPuZmGYhmiBQA5Ux0VzQqV4+Mu1CzsLlDfu26OpvmkuxWBJC8nZt11JDeyfw1JdWfnOK14T7SJ/CpLTM5acnB7Rz5umShZZK3OEROzLs8ETr1dyoKXBlZ2gog2E5Hj2vhcjZnm4BtOy6xs9IwDS+lOda+GCdIuuAxUvn+QwUPSjOaStVEvTFJh+iIcivlUuU4zge2jABNS84GV6hbBHRv7fSx1MUsqqeb7EQIrucJkRI5LAm2yoFjjkLRmW7NZjbJzvXN1WYBoFwx/3k0h6ZEc=
| 256 37:94:6e:99:c2:4f:24:56:fd:ac:77:e2:1b:ec:a0:9f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFR+3LHmni3zpiKSoutsn1VQ1swOy7rqmMJNnZQq92MLJO387xGiEt42lu0WCBL/GEXNF2x9SQVXnthSjPeVr/Q=
| 256 8f:3b:26:92:67:ec:cc:05:30:27:17:c5:df:9a:42:d2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2FB1aDlln4ARqZ7uFANc4qyx0+I/On+7bmobx+27EH
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Dimension by HTML5 UP
| http-methods:
|_ Supported Methods: HEAD GET OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 4.15 (97%), Linux 3.2 - 4.14 (94%), Linux 4.15 - 5.19 (94%), Linux 2.6.32 - 3.10 (93%), Linux 5.4 (92%), Linux 2.6.32 - 3.5 (90%), Linux 2.6.32 - 3.13 (90%), Linux 5.0 - 5.14 (90%), Android 9 - 10 (Linux 4.9 - 4.14) (89%), Android 10 - 12 (Linux 4.14 - 4.19) (89%)
No exact OS matches for host (test conditions non-ideal).
Above is the truncated AutoRecon output and spot the relatively small amount of ports that are open. So we turn ourselves to OpenSSH. We have a look at Known Vulnerabilities in OpenSSH 8.2p1 on following website to find vulnerabilities for this specific version of OpenSSH.
The exploits listed here seem too obscure for us to go after in this challenge so we turn to the website yet again. Let's enumerate subdirectories using GoBuster.
gobuster vhost --url 10.10.226.78:80 --rua --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
We find two subdomains:
-
it.k2.thm
-
admin.k2.thm
On the it.k2.thm domain we find a ticketing panel for which we can sign up. After logging in we see an old-school form where we can submit a ticket. Let's try some simple XSS here: