, ,

W34kn3ss: 1



  • Enumeration will lead to hidden host info
  • Edit the /etc/hosts file for the new host
  • Directory enumerate the new hots to find a storage site
  • Download the public key and notice the text file
  • Find the exploit for OpenSSL
  • Compare the public key with the exploited hashes to gain access
  • Decompile the python program to find a password
  • Switch to the root user


Run nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

Port 80

/ test

In the nmap scan we can notice a ssl cert report for port 443.

I edit the etc/hosts file and we will find a new page. Looks like n30 could be a user name. n30 is also the agent in the Matrix.

Let’s do a gobuster scan on this page.



A note file and public key is present in the file storage.

Seems like an old version openssl. Let’s search for an exploit.

Download the exploit.

The exploit does not work as we need the private key location and user.

Let’s get the exploit above instead.

Looks like we can compare the public key to the 66 possible options.

The public key contains is base64 encoded.

Use the grep -r -l command to find the public key.


use the key to SSH login.

Found the first flag

Found a code program that is compiled.

Let’s transfer the file and use a python decompiler to read the code.

Found the password dMASDNB!!#B!#!#33

Privilege escalation

Let’s check for sudo permissions.

Able to switch to the root user.

Found the final flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: