Hello guys! It’s been a while since my last post but i’m studying right now for my eCPPT(Professional Penetration Tester), had a few ups and downs with it and i had to look up for additional learning resources so i can understand some topics better.
Enumeration and gaining access
Trying to access SMB was no luck, so let’s see what else we can do.
My next move was to check the web server and check if i can find anything squishy. I ran gobuster and the admin folder popped up, but when i accessed it it looked like it was hacked.
I’ve downloaded the image, and ran steghide and binwalk with no luck. Then i used exiftool to check it out, and something interesting popped up:
As the description said… the only hint was in title. Analyzing the image and the title, i concluded that it was suited to search twitter(the blue bird, the name of the challenge) for that user name and i came across this:
Access the link and download the pcapng file, then use wireshark to open the file. I started looking for a connection to the open ports on the target system. After a while i found a connection with clear text credentials on port 2121:
Connecting to the ftp server on port 2121 i retrieve a file named help.txt, and i just found a new user of the system, called zach.
I bruteforce the new found user with hydra and cracked his password:
Access the SMB with the found user and password and explore it’s shares:
I connect with the kevin user and the password he mentioned in the files to ssh.
I got user access to the system, now i can get the user flag. The user flag is located in a hidden directory.
After enumerating the system i find nothing… but doing a folder listing of / i found a folder named backup which had the following bash script:
With that information and the fact that there was a cron job running every 5 minutes i created a sym link to the root directory.
Linking the root folder to the tmp directory from kevin’s home directory i was able to read the root flag.