Introduction

This room is based on the Japanese manga series called Deathnote. One of the best if not the best psychological thriller and mystery mangas I’ve watched. Long story short this mystery requires investigation. let’s dive in.

1 Enumeration

Enumerate for the machine’s IP

netdiscover -i eth0

2 Reconnaissance

I scanned the IP looking for any open ports, in the command I ran the default script(C) and version detection(V).

I got two open ports 22 SSH and 80 HTTP.

Heading over to the port 80 webpage. A deathnote.vuln page that’s running on WordPress. The page either doesn't work or hasn’t rendered properly, yet the machine is up.

I had to add the deathnote.vuln to a list of my hosts to resolve this.

Now, I edited the /etc/hosts file using nano

nano /etc/hosts

Viewing the lists of hosts updated and the deathnote.vuln appears.

Back to the webpage and after reloading it now works and renders the contents smoothly. The page looks like Kira’s page. There’s a hint at the top right of the page.

Navigating to the hint there, I got something interesting.

There’s a notes.txt file somewhere on the server. The files that run the webpage are stored on the same server

On enumeration my enumeration using gobuster I found a robots.txt file. robots.txt is a text file that instructs automated web bots on how to crawl and/or index a website. It comes in handy in ctfs, be sure to check out for it.

Another hint is the /important .jpg. This must have been added by Kira who now requested Ryuk to delete it.

Light’s father hints that the login username will be found in the user.txt file.

Now we know that notes.txt and user.txt are somewhere in the server.

Get CC1PH3R’s stories in your inbox

Join Medium for free to get updates from this writer.

I enumerated the website for vulnerabilities using nikto. There’s a brow-sable directory that may reveal sensitive information.

The webpage is run on WordPress, there’s a specific tool to scan WordPress webpages, called wpscan

Similar to nikto there’s an upload directory found. This opens up the possibility of directory traversal.

I used the link I got from Nikto and got into the uploads sub-directory.

At the base directory, there’s a folder named 2021. Dive in.

Out of the three folders, 09 had some resources, the webpage images, and two unusual files. Jackpot both wordlists in one spot.

I grabbed them to my machine using the wget command and their respective URLs.

3. Exploitation

With both username and password wordlist, all that’s left is to brute force the ssh port we found open earlier. Here’s the format :

hydra — L /wordlist/ — P /wordlist/ /IP/ ssh

4. Getting a shell

We are in, logged in as the user L. Right out of the gate there’s a user.txt file in L’s directory. It’s a coded message, the language used is brainfuck an esoteric programming language.

I googled for an online decoder and used this site brainfuck to decode the message.

Kira acknowledges we’ve gotten the shell but the game is not over.

I enumerated the base directories and in the /opt folder there’s a folder named L. Two interesting files fake-notebook-rule and kira-case

Head over to cyberchef to decode the message and we get another credential, a password.

In the directory kira-case there’s a hint pointing to fake-notebook-rule we’ve already gone through.

Back to the home directory, there are two users l and kira. In the kira directory, a kira.txt file looks like it’s only visible to kira.

Using the credentials found a while ago login as kira. Now we can view the kira.txt file with an encoded message most likely in base64

The message was encoded with base64 and I quickly decoded it with the following command:

echo “code” | base64 — decode

We had already explored the /opt folder now let’s dive into /var

Nothing much was found except for, its toooo late for Misa

Looking at Kira’s permissions, I noticed Kira can run sudo with root privileges.

5. Privilege Escalation

Start the login shell as root using the command sudo -i. Finally, we are root. There’s a message in root.txt.

Thanks for reading, keep learning, and keep hacking :)