Easy Peasy
Reconnaissance
Initial nmap scan to find all open ports
There are three ports open
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 80,6498,65524
(-oN nmap): Saving it into a file called nmap
The version of nginx is 1.16.1
Apache is running on the highest port
Enumeration
Port 80: HTTP
Lets visit the site.
There is nothing interesting in the links provided and in the source code, lets run gobuster
to find hidden files and directories.
Looks like we found a directory, lets run another gobuster scan on this directory while we explore this one.
We found another directory, lets visit both these pages.
There seems to be nothing, lets go to the whatever directory
There is nothing on the page, lets look at the source code
We have a hash, lets decrypt it.
We have the first flag
Port 65524: HTTP
Lets visit the site
Its a Apache 2 default page, scrolling down a bit, we find flag 3.
Lets run gobuster to find hidden directories and files.
While gobuster is running lets check the robots.txt
page, we find some interesting information there.
This looks like a hash, lets try to crack it. Lets first try to identify what type of hash it is
Its a MD5 hash, now lets crack it.
And we have the second flag.
Looking back at the default page, we have something else in the source code
Another hash. Lets crack it
Its another directory, lets visit it.
Its a page with binary code image, lets look at the source code.
We have a string, lets try to identify the hash.
Lets crack it.
Looks like it is a password
Now lets download the binary picture and see if there is anything hidden in it using steghide
.
It is asking for a password, so I used the one we just found.
We found a text file, lets read it.
We have a username and a password in binary, lets decode it.
We found the password, lets login through ssh. The ssh server is running on port 6498
based on our nmap scan.
We are logged in.
We can read the user.txt file, but it seems to be encrypted, so I will leave cracking it to you. (Hint: CyberChef and ROT 13)
We can also answer all the other questions
Privilege Escalation
As the room had cronjob as one of its tags, I looked for .sh
file in the system that belonged to the user boring.
Looks like we have a file, lets look at it.
It says it will run as root, so why don't we echo a reverse shell into the file to get a shell as root.
Make sure to change the IP in the command and start a netcat listener
Once you echo the command into the file, the contents of the file should look like this.
After a while you should get a shell as root
Last updated