Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub


You Guys miss Me Lol??? Sure Have Been Recieving Lots Of Mail Lately For Some Writeups So Let Hit Now.


Nmap -sV -p- IP -T5

Let Me Break It The Down The Nmap Comand I Use.

-sV = Probe open ports to determine service/version info

-p- = Scan For Full Ports

-T5 = Set timing template Making The Scanning Fast

# Nmap 7.80 scan initiated Wed Oct 21 05:45:24 2020 as: nmap -sC -sV -oA nmap
Nmap scan report for
Host is up (0.28s latency).
Not shown: 993 closed ports
21/tcp   open     ftp           vsftpd 3.0.3
1337/tcp open     ssh           OpenSSH 7.6p1
80/tcp   open     http          Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
1119/tcp filtered bnetgame
5001/tcp filtered commplex-link
6580/tcp filtered parsec-master
7019/tcp filtered doceri-ctl
9618/tcp filtered condor
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at .
# Nmap done at Wed Oct 21 05:46:49 2020 -- 1 IP address (1 host up) scanned in 85.32 seconds
  1. How many open ports?

REDACTED (Read The Scan Result)

  1. what is the ssh port number?

REDACTED (Read The Scan Result)

  1. what is the name of the secret file?

Time To Use Gobuster To Burst Some Directorys Port 80 HTTP

gobuster dir -u http://IP -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

dir = Dircectory

-u = Target URL

-w = Wordlists


A dir let try to access it


just a plain white page hmmm let hit gobuster again with the dir we just found.


The admin page was not useful also blank plain white let continue to burst some dirs.


/backups pretty interesting let hit it with gobuster with gobuster extension command -x with .zip,tar.txt,php maybe it can be our lucky day.


cool a backups zip file let download it.


file protected with password let try to crack it.


sweet zip file cracked let extract the information we need in it.


  1. ftp user name? REDACTED (What do you see in the note.txt)

  2. ftp password? REDACTED (Use Hydra to bruteforce)

  3. What is the ssh username? REDACTED (Log in FTP With usernmae and password you just found)

  4. What is the ssh password? REDACTED (crack the id_rsa private key you found in FTP)

  5. What is the condor password? REDACTED (Log in SSH with the creds You just Obtained)

i will explain how to get the Condor password because it not that easy a little OSINT the hint (mnemonic encryption “image based”)


Boom we have the tools it on github Now just go back to the SSH you just log in to find the image Condor password is hidden in and decrypt it.


cool we are in let get the User.txt and Privilege Escalation to Get Root.txt.

A little hint to the user.txt flag it encoder in base……Now let get the Root.txt flag.


So i cat the python file the line i only find interesting is dis.

if select == 0: 
                        ex = str(input("are you sure you want to quit ? yes : "))

                        if ex == ".":
                        if ex == "yes " or "y":

So let run sudo /usr/bin/python3 /bin/



Boom Box Rooted…………..

Greeting From Muzec

Back To Home