- Enumeration will lead to hidden host info
- Edit the /etc/hosts file for the new host
- Directory enumerate the new hots to find a storage site
- Download the public key and notice the text file
- Find the exploit for OpenSSL
- Compare the public key with the exploited hashes to gain access
- Decompile the python program to find a password
- Switch to the root user
Run nmap scan to find for open ports.
Run a gobuster scan to find for hidden directories.
In the nmap scan we can notice a ssl cert report for port 443.
I edit the etc/hosts file and we will find a new page. Looks like n30 could be a user name. n30 is also the agent in the Matrix.
Let’s do a gobuster scan on this page.
A note file and public key is present in the file storage.
Seems like an old version openssl. Let’s search for an exploit.
The exploit does not work as we need the private key location and user.
Let’s get the exploit above instead.
The public key contains is base64 encoded.
Use the grep -r -l command to find the public key.
use the key to SSH login.
Found the first flag
Found a code program that is compiled.
Let’s transfer the file and use a python decompiler to read the code.
Let’s check for sudo permissions.
Found the final flag.
Leave a Reply