Firstly we get a box, and we do some basic Port scanning :
when i went with port scanning, i got to see SSH port on port 22. which made me sure of bruting into ssh but i lacked was the username to bruteforce. So, I went with asset discovery of port 80 (http). by using dirsearch i found out directories, with dirsearch.
so let us try discovering these two directories. firstly, let us visit directory named as family
we can visit the txt file, it might contain hint. while visiting normal images. we can just see static files for websites where hosted
we can find various text may be username and can give birth to attack vector like ssh Bruteforcing as ssh was open. But, lets visit another discovered directory too. So, let us now visit secure directory.
we can find that it contains the audio file on .wav format. and it contained morse code. which when decoded from morsecode world after uploading it.
so the output is:
N O B O D Y C A N H A C K M E <BT> P E T E R
Mean, PETER might be a weak point for an attacker to attack the target. But the extension of the audio was weird. And as me and creator both we work on same company, so i know about his challenges for cryptography. so i tried some stegseek with rockyou.txt
surprisingly I wasn't wrong to crack it. and got that txt file which was the interesting message he asked for.
and then i lost the way out, coz i even Bruteforced whole rockyou.txt and still didn’t get my way in.
But being fan of John Cena, Heart said :
and i start thinking again, and surfed in all the hint places, by now I was sure I cannot login with rockyou. so I needed some better ideas. upon seeing one hint, it said me:
his old password was his family (permutation)
so i got one idea, the list i had of family.txt from up, and then i need to combine with rockyou. for example:
If family.txt had noob, and rockyou had mickey. then i need to combine the list like
family.txt + rockyou.txt = final wordlist
like: noobmickey
So time for some cool bash scripting.
while read a_line
do
while read b_line
do
echo $a_line$b_line
done < b
done < a
I combined the text and bruteforced. so I got the login credentials and logged in as a user.
so i finally logged in and felt like a hackerman
and did some ls -al to see the flag and got flag1
i tried some privilege escalation, but in the hint it already said me about that the creator hates gtfobins.
so i did is to change the directory with ../ and found new user, who was in sudoers file. so i was sure that he can execute sudo.
so i got the username and bruteforced his credentials with rockyou on ssh. to login as him. and which worked finally.
and this way i hacked the whole box, to get the access.
Tip for the day:
Enumerate hard, don’t work hard. and scripting saved the day!
