Press enter or click to view image in full size
This is my second write up and how find the root flag at Deception.
Step I: Firstly I had downloaded the ova file from the vulnhub.com .
Press enter or click to view image in full size
Step II: After successfully installing the machine:
After
installing the machine, I started it but encountered a problem because I
was doing black box testing, so I didn’t know anything about the
machine, not even its IP address. After searching for a solution online,
I learned about the netdiscover command and how to use it
on my device. Since I was using the internet through a WiFi adapter, I
selected the WiFi adapter and ran the command netdiscover -i <wifi adapter> <ip/24>. This showed me the subnets on my WiFi adapter, and from there, I discovered the IP of the machine.
Press enter or click to view image in full size
Step III: After finding the Ip of the machine :
The first basic task in testing was to perform an nmap scan to find out about the open ports on the machine. Then, I opened a web browser to see what the website looked like.
Press enter or click to view image in full size
Step IV: After the Nmap scanning
Next, I conducted a directory enumeration test and found several directories in the scan results. I navigated to the /wordpress directory in the browser and researched more about this directory.
Press enter or click to view image in full size
Step V: More Sub-directory Enumeration
I use this command gobuster dir -u http://192.168.1.14/wordpress/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .php,.html,.txt to find out more sub-directory.
This led me to find additional sub-directories, including one called Hint.html, which provided some useful information.
Step VI: Enumerate the hint
I checked the home page of the machine and used “View Source” to search for APIs. This helped me identify patterns in the API labels, like old_0, old_1, and new_1. I saved this information.
Step VII: Scanning the wordpress
Knowing the machine was running WordPress, I used wpscan to look for any vulnerabilities in the web server or to identify any users, especially since the SSH port was open. The wpscan results revealed two users.
Press enter or click to view image in full size
Step VIII: Try the to crack the pattern
Get Shekhar Bhardwaj’s stories in your inbox
Join Medium for free to get updates from this writer.
I tried connecting to SSH using the users found in the results and used the pattern from the homepage API as the password. I successfully logged into the machine as the user ‘yash’ and found my first flag.
Press enter or click to view image in full size
Step IX: Find the next flag
After searching through the machine, I didn’t find much useful information, so I tried using the ls -alh command.
Press enter or click to view image in full size
Step X: Find something
I discovered a log file called ".systemlog”.
Press enter or click to view image in full size
Step XI: Lets crack the .Systemlogs
Using the cat
command, I saw that some characters in the log file were in quotation
marks, which seemed like a clue. I saved all the characters within the
quotation marks.
Step XII: Make password
Deduced the password, and used it to attempt logging in as the user ‘haclabs’ with the command su - haclabs.
Step XIII: Flag 2
The password worked, and I logged in as ‘haclabs’ and found flag2.txt.
Press enter or click to view image in full size
Step XIV: FIND THE FINAL FISH
Since the machine has three flags, I needed to find the last flag, which is the root flag.
Step XV: Gain the access
To gain root access, I used the sudo -l command, and the password was the same as before. I accessed the root account and found the root flag.
Press enter or click to view image in full size
Step XVI : ACCESS THE MACHINE:
At last I have accessed the machine as “haclabs” credential.
