Face a server that feels as if it was configured and deployed by Satan himself. Can you escalate to root?
Start at port 1337 and enumerate your way. Good luck.
When i try to access the IP:1337 i keep getting The connection was reset but i keep seeing some text in the background before it keep getting The connection was reset so i try to intercept it with burp suite.
So intercept the request send it to repeater and send and we have a message.
Welcome traveller, to the beginning of your journey To begin, find the trollface Legend says he's hiding in the first 100 ports Try printing the banners from the ports
Ok let hit nmap…..
Nmap -sV -p1-100 --script=banner <Target-IP>
Looking through the scan output we found a message again.
Go to port 12345 let hit it.
NFS shares are cool, especially when they are misconfigured It's on the standard port, no need for another scan
Cool let mount it.
Boom let change directory to it hmmm a zip file let transfer it to our Desktop.
I try to unzip it but it was protected with a password so i try cracking it with John the Ripper, what is John The Ripper: John the Ripper is a free password cracking software tool. Originally developed for the Unix operating system, it can run on fifteen different platforms.
So i use rockyou.txt password list to crack the hash having the password i unzip the zip file.
Boom we have the first flag, a username hades and a private id_rsa key to crack and a hint to move forward.
Cool hint scanning from 2500-4500 i think printing out the banner again i think we are searching for the ssh port i guess.
Nmap -sV -p2500-4500 --script=banner <Target-IP> -oN 2500-4500.txt
Since we save the scan output to a file let use grep to find the right ssh port.
Boom we have the right port now let log in ssh.
And we are in but a little probs the shell is restricted.
we can easily bypass it with
We have user.txt let get the root flag now.
getcap -r / cool it a /bin/tar = cap_dac_read_search+ep time to hit GTFOBins.
Now let read the shadow file
tar xf "/etc/shadow" -I '/bin/sh -c "cat 1>&2"' we can easily crack the shadow file with john the ripper i think i don’t need to explain that again.
After cracking the hash password we found in the shadow file we can easily log in with the root creds and finally we are root.
Box rooted what an hell lol..
Greeting From Muzec