Nov 12, 2020
Press enter or click to view image in full size
Nmap
I found several ports open like 21, 22 & 1337.
Port 21 (FTP)
Access as anonymous, I found 3 images like below:
So let’s use mget * to get all of the images.
Images
Get H0j3n’s stories in your inbox
Join Medium for free to get updates from this writer.
Since I have play CTF several times. This is called Flag Semaphore and one of the best platforms to decode it using https://www.dcode.fr/semaphore-flag
By decoding the above picture I got “semaphore”
By decoding the above picture I got “signalperson”
Since I got the username & password let’s get the hash & token
HASH = sha256(semaphore + signalperson)
TOKEN = bytesToHex(HASH)I make a simple python script to do this :)
Port 1337
Since I have all of the things needed let’s check on port 1337. It asks for a username, password, and token which I already have.
So I can use ls, pwd and nc. Let’s try to get a reverse shell using nc.
Press enter or click to view image in full size
Flagman (User)
I tried to run linpeas and found this
After reading the file I found a possible password for the flagman.
Try to su flagman and we got in!
Admiral (User)
I try to sudo -l and found this.
Let’s try run the python as admiral.
Press enter or click to view image in full size
Also, I should port forward port 5000 by using SSH.
ssh -L LOCALPORT:127.0.0.1:REMOTEPORT flagman@192.168.0.119
ssh -L 5000:127.0.0.1:5000 flagman@192.168.0.119The first thing I did was to go to /console and put the Debugger PIN and I tried to get a reverse shell from it.
Root
First thing first let’s try sudo -l and I found like below:
We can try check on GTFOBINS
Press enter or click to view image in full size
Nice! I manage to root it :)
