Lets go : Madness .
- Do NMAP : 2 port open
- Get the broken image on page. download it. wget thm.jpg
- Change the HEX value. should same a in img.
check out https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5 to learn about magic no. more.
now u can open the img and u get the hidden directory.
so we can add a parameter http://10.10.150.6/th1s_1s_h1dd3n/?secret=1
and if u open source code u see a comment
so let brut force with Burpsuite 1 to 99
and u will get the 73 page.
we we will use the y2RPJ4QaPF!B to extract the hidden data from image.
now lets decode this username
wow u get the username
Right, so let’s recap. We now have: a username; a password. So surely we can login via SSH now?
Nope. The password doesn’t work. This is where optional, the** absolute** mad man, pulled a fast one on 95% of people…
so download this img
just press enter don’t enter any ** passphrase** :
now u can connect with ssh and get the userflag.
wow super
to get root flag:
To find all SUID file
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
we need screen-4.5
search on google and expoit the payload and u get the root .
use this exploit
https://www.exploit-db.com/exploits/41154
to run : send to machine and run it .
then : chmod +x exploit.sh
./expoit
u will get root user.
to get flag cat /root/root.txt
nice u done this.
This post was originally published on Medium. Imported 2024-12-17.