DC416-FORTRESS
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPc5wXbIyC_pqsnxj9HrEQnlYsNAZ8xxNsiIAXFtmTjqI9ZnggPRHuX_k7eFZWCtkncJVv_-xOk33yxT-yAdWpJQUl-qt03OiwBoGkDbIrb9rh56kwmGX_iWixNtCNGDV5kfRocVXZ3Wbr/s1600/screenshot.6.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine DC416-fortress
- DC416-fortress can be downloaded from here:
https://www.vulnhub.com/entry/dc416-2016,168/
- Once downloaded and extracted with VirtualBox:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF35oNYpnn1vgh_JJXVFE1nSBm0NXj76gFmLhu1HOFqBfQodlTCEGASSM5mOh8YntzQhd4DSTaV59DKDzhLTTudyBhyphenhyphengx3eaMAPp5KxxunseYrB_JkqmWLDiMbcx-w00vk8oSya5D1YMYu/s640/screenshot.67.jpg)
2 - ENUMERATION
- Searching for the IP with netdiscover:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDLzsLUZHREnVJAMPTQkFtJqV1M3ZfSxmKdIbAHFmzAkTXzPKSLgaq4G9TuFwfaY7KKlhD8DlzeC6bmb1c6IaaVH9lry9zRNBx24ws2cnnP6thY9UFkbrxuTbcrFJvtJkm0wL8u3YYWhjF/s1600/screenshot.2.jpg)
- Scanning with Nmap we discover that there are 3 open ports (22, 80 and 443):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigocMwwWBxZAEB8bNYVkTWTGM1sxd3qGga5TNpOfLk8AFx4AHwEsQYi65U2uYl0Q-URs2PTfZbUazLM4bCtAdh3hAy0RvMtRTWLAG4V5vXrTVY95jJO_jdnmekMVQ_NVZPxNFZnG-LGdnJ/s1600/screenshot.3.jpg)
- Going to the web server it is redirected to HTTPS, informing us that there are 3 flags to be found:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj70hxPsY4LcyUDLQNMGrzQUHzC09a6NcskU0aNFGCxqkItxZCwvn6zli9SYswN9dYi7Tmkv6LKNWbUyTVb4HdhEdNeDPeLC3RCfotXBItBQFX1rqgK-p6V4d-AbIaW3LuhFPoRzwnAqlZ1/s640/screenshot.4.jpg)
- Using dirbuster against the web server with the small size wordlist:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQnN4nbeJJf-L0XVs985uKrlS2A3mBjNLlObZgs5680mpI50COyCLIaFkfNWpmZNYiHEtzUVaTwgkLi-M5gDgX863troXPhXScEzgWVLNr6APDYVANIsDtLhiOWXQ26pJ7_Y1SNByL5yIM/s1600/screenshot.7.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS6MyNMFKWmXADjGf1rxfNjxwr7W2Qo9kZt-IdHaByFAjA9SUyqLGogKLQyxNbhfsWpEWHw-QxPNSo7h64nwifW9HMX_95B9wJWihexUsdIq3Oo21q0CrDiLfOzS_ydurDiyq6cDs5VnBH/s400/screenshot.8.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf2Eou3BScv6TpYwmIewvWd7dE0U5_uUojRcIFxgca1N3nY1V5G9K0XdvIrrRRLXMedq2J4rvCvMaZgNR0N35K9VT2lEXBTcGgUsBVh6Qt91Mr1h25HT_0SrumcPjB29i8R_htL2AirSfh/s640/screenshot.10.jpg)
- A file called scanner.php is detected:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCCYEp2tjgHLs06_1pSQh5BvkaLlyeIQwaXftSbX3reHY1VmmnwVQdmQJi9tjlbKez48YWIKMeJsbNU8RL47Wz_-C92WaqvFtar12ZmDRlFbdAVgD3NUZUrNhPcSLYvGQDXSMyQYNqoqVj/s1600/screenshot.11.jpg)
- Same result with dirb and the wordlist big.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq897yh_NZGZAcENNBwg4lUh9v8xhg8XEalHb6C2QUzZKjAT8RbJsN8AgnacW-5V9bufPtJbNEzVqcDHA58Avi0lBkxlg1MZDMJodxeGdvUb_Swm-vmJ_ja6_4tHsOpJRj_n7XaPJ3WKgf/s1600/screenshot.18.jpg)
- Let's see how scanner.php works:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRpP2vN-Ie4UaMjo3d47FtLMlmVhjLdAh9o8JvHsdxMA59RBsto5VmAhz1iFcd9Lm3P4x8BpGns55kG3kxOdYn4gMtb8AxuyaJnbQhrnkbBOsSHlkfoC-sA0yotzKGWkxBAD3KrRu7s_Bw/s640/screenshot.13.jpg)
- Trying to bypass the scanner with ; | & there is no result, probably they are filtered characters:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAXknsHkXtz3vKhuA7f4-0OSX87j1jjpkA9_0FRzMnPuOQfE7Ky17yax72jpl2Eev3Z7ggNOgr9yXcjoF8RO8fDlWi1Pbb_5ykUkfElJyHRL2VWsPADD0tUWeiPyvB3wsrpylklwhCDsS6/s400/screenshot.14.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE1HZZ7zqRhF_PXWv8hSFJ3pCdzp1LtPWPxLEx9Df7ORTy-69ZPOq0IZ8VktvF6pbYlrHC1UnjlgzM6GW63G74p0KjCSa4b5-GoIfCkoHj3I1pGLWnogcr6p0FJCcXr8xi30PkVVNE1K6o/s640/screenshot.15.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMPmGQxU64rqZuIi6Cqxzw_rjX2A5yBQ12G6uSJY3LoCA9k7cnUJmiDKfCzpDP2sUv_dexYHUgQcPvepfBHVuf_CHpBWL6qUktRw2SbX_Rwl5b_gNHNdQ-Qu8OxvDHvyTG-4ULFV7gpkeO/s400/screenshot.19.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-Al6zdG156CEG2_0VR6mqoQNovYE_G-egOSadRH0Zqw6ing45OM3ybrMqPAVEcghKzJPDjtSBBCtex21TfZYdgEKz3-9fSbcWFt4V1oMLJkSj8LqNR8rhWyThrzwywOvKzN3id-dI_37U/s640/screenshot.20.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNQ410zExZJYqwOba7WyAu8h0tfXTipbLRvYnHXf31o-D3dWrcIW5P_ZNTnWyQBFNzGLJsIhfFQ_bBxsFGWwVEOFBoAPJLSai5fno66GEc2-lK2Yj3RJ_y_Yn_brkintlTmW7Pz-fJV7ga/s400/screenshot.21.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyGql54JUh56YfSS7SfXnX3mP-OxjpyFnpDPM7iOAlo-CufK5kzxKg6sH6wYhgZcUJWDlBndoyUsRf8FdwQahpvbtOwoXpvv58GGugGsiDodDlfosFxtkmKY3CfoFdqqaG_IjYobhr3NiD/s640/screenshot.22.jpg)
3 - INTERCEPTING WITH BURP
- Intercepting the scan with Burp and sending to Repeater:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivqFihptAuUiVI60IGgPY3vTfim4H-jkQNWJK4Tq2ooGmpp0tTqSTDMMOmFfzvx_Eg0WwjQGNpdbT82ykRSsdkw81h8QNiRjXApb-VZaMZeEqmnC6vjU2I4b8Js_S3srRHfuEpKAdu05AE/s1600/screenshot.69.jpg)
- We discover that a "carriage return" allows to bypass the filter for the scanner, for instance using the command id the response is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO30zUiwCwYEkFhu9JYj8Gq1ZN_TH3UyFAr7r0FfQvHg-Nna0wP-oIjV4l8Mc1xc141aiiyHLFhfONAYnRF2lp4Ih0Ff8-ECh0tGMtGc4MxViDxIuk-LMeID1GoItyXu22nddMeV3z_uNg/s1600/screenshot.84.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoJKg9txDFU1k-EVhoZSwkrgwZCPYKNMQVRaNMWxFfMBASbX6pUMO6B8Hw-EgunAbp8OMgDm79oFSFbiq2c5k42CmiSM8rUgka3GMqYMXx8KSob55Ae5Tis8qwR3hPXikrjLkRQ7JPc-TM/s1600/screenshot.85.jpg)
- Reading the file scanner.php we understand the details about how the filters are implemented:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJeXwgJrkDyL8l2rd3hZtf5-t-8pOuVMdYJrSc6LuD46OKYfdbNIPVH4zi6acyvYCtkKVb_0iONM5acwDqFuSgQWrmyZbuomOOkGf-dR4vG18ESllvZKnpixmULxGTAQbAeWLOukFOjDLm/s400/screenshot.86.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8JoEE2CDbgeNTJdn1XUL_Bsftklgfak3cvqeSdanktYYBqtBY2uY9-_LOP0Gx3qvnSGSx6o0K-KW8ypHlm26948NPgmLPlQNTNxpiplN15rfyqpGgzTOzQnhTYjlcPqKgk8-jdX3zY4ZP/s1600/screenshot.87.jpg)
- Also, we can find some flag text files:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz1A6LNV_MLlKPpKcBg0LqsDAQH7FP1Lm-ti5EZB2k7Euj-l76FOm_drwwPl1VXZ9My-sUxacdSUIliUuCi4WGxPmnHW2HzJa7QV7J4xxmIqZSzkjioP9cIHTJFeW6hW4vN1NAtvJ-a6w6/s400/screenshot.88.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Day1Z46rI_b1y-ApPpChyphenhyphenKXPjExGvs0Dvfo2pdJVmRfu1OOLWmDmw5K4EGo3Ks3EdQLSGPgsCTFoBC202sSpBFHg24JzstZGew9uMg-jaVuTh0ogCcSqskygV8RTzFzFMCf5AxxjxoR9/s1600/screenshot.89.jpg)
- Even the content of the 1st flag:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCjwtLrdb5RKZ0BAnVVcBARO5zXn-0YjklhIIt_ha8FB4gz3L1oiOH6JOjDJ6itbsZrVHtzu5fysFtXOH9YaVzyQwuwTxAoKOmKSv9rNweirkpLKreQ8VlzeqS_VqrSazCSiAONu893lBW/s1600/screenshot.73.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb01oQRxxFnMeNRAjrvjwmBlkj-tg2AZAJ_BN8aa66Rum07KP-cBQ5Xl-SrI0Bk1nwsJmnN5IU-4uqG7a4cdtvnbT_rhyBHrJMEeqxTScApFJYZDO9SSPsD9xlk28CiJHbVD2A0ly2pTar/s1600/screenshot.74.jpg)
- Although it is possible to go further with the Burp attack, we decided to take another way.
4 - EXPLOITATION WITH COMMIX (COMMAND INJECTION EXPLOITER)
- commix helps us to run an automated Command Injection attack:
https://github.com/commixproject/commix
- Some options for commix:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4tvjXbTIYuIjnomko5U4neGZXEiwJxDh7son_s3GUPvNWaHHbcoOKoLkxDBk5MfWWziusy0sRSyp91bd7pEcEKoq2rpeiiFHm_Cj4_Do9t7_PiY2qEY1Or_wyK08ws6fll0ZmiDuud_1i/s1600/screenshot.83.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0BH0Ja-AbA3q_VoiF2ZJWUfLB2-xeCJi0V6kmt2MoacEiWvdOL9HEUxdqmN3mVZEJYF8K2erbB2jQRyoJq2wbJNT-nTOnCyweF24LgdJjVjz351zvBhpHr3INIJHmkPcb3CFKI3UjqF98/s1600/screenshot.80.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWqfP-ZCoKvJ_wKwRWFv9stwZFflzKsTh-dznS9e0yLyP7FJtOGGJVjtXY7jis5OivvFnUYpbAtJOEUk185DBUiF_k-r5EWQfK1Y7cUw1pJtkrI1bh3EjN2jPdUonZ9Rk-A9ad86lD79yN/s1600/screenshot.82.jpg)
- In our case let's provide as options the URL to be attacked and the data string 'host=127.0.0.1' sent trough POST:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4uOXy1LCLTFqTSEgSwzEeat94udYmyTpur8e239g_jWz8BlyzuhIbWtz1WYwCsvahXRs_GgV4MQdBXQtP6UrIHI58O0OMgaWiOSUE8UJyKlusGSNTDj_POV-jJBNnvKgbAbN8fxFxo3qy/s1600/screenshot.23.jpg)
- The pseudo terminal allows us to achieve inner information from Fortress in an easy way:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqeuJ0wxINPsXemzgDpWpeNBH2YtORFhCfoaMex0AUMHYy5JxyNp8Ou5iwDsZ7pJbivTZ2RgZULJJ6Ge5Vxu7j14GhaE_u9eEir18cnRfX49MGoNiAqGAWTLtcO1FTbCAUEMyNVqUx7kAf/s1600/screenshot.25.jpg)
- Listing content:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcsnwsS7kNoPEPlsloLEFw9EUMpscI-dKpOhYhy9YK8UPd5QgYzHLNp1p9_R4jLp2uku2joOdYdNnNLm0QP6alX7FyDh2tehCMc6FX3Q256fEkUxM_UxYsjstI1oXu5ax9Ll0bL8zpKHXK/s1600/screenshot.26.jpg)
- Code from scanner.php:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhonJsvszwFNvvv7k39iHHJcCy9mQNZy4RJmrdqtpK0jEMubW_eGxu937szB4TaAmGXEcE3-iF3J34UPuXd7n01oj-kan008uwJAZCl5YoOIZ6H_QX-d-L4NldtFKZr5iJ-HIDLjmFsWcNj/s1600/screenshot.27.jpg)
- Checking what type of file is s1kr3t, it is a directory, and listing its content we have access to the 1st flag:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxkj0vb63Pn1GpEzNYsQ3EDCdAxYJHwg9Lq2QISWknQfGXndpPX2mzOjMDSE3en2dBefX04uVKF-0oAWPZaiM34ybLCuJXX-xAVMTXLMkLcwuj26k3K7oIs-NyCnqXbmDbTyAzO0ADuw8R/s1600/screenshot.28.jpg)
- Doing same thing with the directory k1ngd0m_k3yz and its content:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeq3-CrTMnIYNNy_Joax-GtonwQNkvNPdeD8pe8ks7-zQ2ryvH56OY6NmiTP3G-f_d9zYL1HyKe5TzBBUOiy3wkZtzy0r_z_-xTxSRJJbeMqcRGxYwzbhBYe3RcCpXQFz-Kdxzi4Vwu7A4/s1600/screenshot.29.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9ZlM2dWOhT3nUu9MF9hG35Q9VFXhPDplvWR_-VEle9x2wpyQvEBsL_QagMJKjI50ww144fUbrWf7xsRHltAllAP4a8KEcQDpTKInM0nl4vl3GExrOc_n14eKERXL1nLMwPaoywVnjO65I/s1600/screenshot.30.jpg)
- Reading text files master and passwd:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjoowuOMXEbB7MfGniEK-QeLFLYaWvKsz7DcoCGWUFw-Cg7f2OEuFQ9x81ggKwxlzPkWtIJpoZDKWW0cbb7YqmTYCoi3_ucXJAKl6R9WhV_wRB3ZDB388HML_zRIMnx90XLlGVtmHXHHks/s1600/screenshot.31.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtmUcOBOiAV8LOsLpSbeDiT3MbNNhdh_WNlWXnfdBX9d3ds-sy-fIHvNT7KhxVUIEmxpgT3ufiP5XZqCI8iahNqMvkpLdVBFoGGBJ7WOFm52ww4BJ-BtKvt1osKxxtuoK4An9paR1XRC2J/s1600/screenshot.32.jpg)
- Although we could try to decrypt password for user craven, let's dig into its /home directory for now:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqs-Nx7MQapTvJa0lO-PTt70Wrdv7a3S9vTrSd3qE6WWonYFq5z33yDd1GFdpbpYztg3y07Gm5HTcMJK5vhhZHB0IhSfA9ArZyL8-aKxjJWGMnR5-IiZjSf6d8m0j4mA18wjV7z4a1CL0Q/s1600/screenshot.33.jpg)
- For any unknown reason flag.txt is not accesible:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3GSga7OX-fFRI-Ri-vIQiJl7v0J-anyQ_mNGqQUVmEXHjK72ndUmHe8x2J7j3Drw1fEltSp0ODnfuPIVV1pqNye-XP1OWpj9ogLttTzVoq6XzEyZ4dn7-4UOhmU5bEmLFWk_NlcNf1ru7/s1600/screenshot.34.jpg)
- hint.txt describes how to achieve craven's password:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCjvrEKwRAmPb4mpEueeVO8_JTrHWVFvreya8PlmTxNnHtNCtDFIWUs7WtZDZusxanMkQudm2LX8njmYJwssNKBGguR_1LSXVk7-WsV-QVrBvpsX5t7WhOed6oNkgxl60QEg1md9GSEe49/s1600/screenshot.35.jpg)
- reminders.txt tells us that craven's pet's name is qwerty:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMcIcGbcsYhJ5CpgYrnb9amf62H_RJJe_hYU4d-ikETVFzpu8xpKKOsrzt1dSABYwyfmdaxWOv22YUSjnTuxPX6i84yhdjXxlmPhZ4VB82-Uzmxz7kA22MMTu4hsr9pl_Vj9Z0_QrxHO6k/s1600/screenshot.65.jpg)
5 - CRACKING THE SSH PASSWORD WITH CRUNCH / MEDUSA / HYDRA / JOHN THE RIPPER
- Following instructions from hint.txt and reminders.txt we can use crunch to build a list of passwords with the pattern %%%qwerty^ where % represents all possible numbers and ^ represents a symbol:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_jWcROeY7LW-vdBALstLDDiXbFCRq6Lp7s0kIu8bqXaNcjFSfOSxsWtsiaEykMNb4gmONCwSEQkBpZhvuQy2MeMRJPVZnsEyrgNfvzZH3jAh3Eorls3Qhyphenhyphen9BUSvisVECFV1ZDBaFJSfy_/s1600/screenshot.38.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-JdB0GNYk1HhhFqlq-eJr9wl2meP3P0obhBuR00dPd87wkitvvjGKdFo9HPG7hT4QqAEs4RWU4ft942bryrN9kT0mp9yEZUttUp0lid8QXL2jUg3OsGBmw6-b7iDobDaqa5Tu-_K9rh-c/s1600/screenshot.37.jpg)
- Creating a passlist of 33000 lines:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWCe-i2L-wDIJBX6KUjqxO1pVZpq4AkjCVmW1yCsMsML4xzpU3sPKKUKVbP4FeKEK-iu-AZadQLR2Jjr5uDvrVATbW8GjibWVneP48BxzuCiT9Myq7HcVeeNwpAHhRtIQcRjmZvmBbGuNZ/s1600/screenshot.42.jpg)
- Both medusa and hydra with passlist are able to find SSH credentials for user craven:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVvvMYr6D_65Prcte0Er0Bjxh7wd8hvdOJ4qHfr8oHKXAs12jmEZmzofkyGTfIyU1xtOiQqvYFYVfOAvcurh1KP2s24zaeQtM2Yt07e6uMC2xEKGLprO8LW3zalAydUOVSqpBIPFV-CC4Y/s1600/screenshot.43.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9O2LI5Nxf2VJsaxPFLSChGmxH_aUg5ig6LAPgt0AWNJDONSWuEsvXQ9IfFoaGfkQD4gndJ4DmNUZuy3JFICIZU0L-Fw5XlAZ1Iw-2fZQZ9BfgFzm2Uozb73qn34Q3MIzqMZyRSsDhteOl/s1600/screenshot.44.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJoSqmlNtlekPZL1BStM86jeTE0t5uhmDshBDblFSXDtLjx03GrCxNaYIyYMhEG96yBqdvVEnZynmi336hofvgWcnw3LyR6JL_fxNKuIImbRIbdsGgnsPwbIzjj7w8eW1MM8ISa_igsHYY/s1600/screenshot.45.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpHb8rDTD8FS903jqYnpYvSwn_9E594idMhoAJqE4UcAqoSsgdM3rim_kqrWiiyZDUD3cmsemVsHgkCXnKBwmaKWhoFMoIY0gGtEY83TLBNLz0FV-p4XY6dQ9prrm_Skg1lIlJNllYktYs/s1600/screenshot.46.jpg)
- Also John The Ripper can help us to decrypt the password.
- First, unshadowing:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJpmTyofIu22-I1-HOhaW1rQpDn90Nd9pMAixkINCJ_aXkvmu7y5WCIJS9dtUs29TTKRPoTDOu0d-SmJaMnS5VdntFUG9bcS7FMu6K0zPPjyzm6WsUMUw1pYCAdHdyJvRXsrYn0gSgJsuP/s1600/screenshot.76.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjutm3VJ7c4jl27JFA1q3_AaKfycfoQXGXpR82Y-QhA6hLQQJ4Z-wPV57C3vtwB8pUknStTpWB9ysTX-VowftAi8GYP_4LXoq-uahN7_ZJ9BEc0JSkRwpSP3Ro0-G4foFmtsoUSocZtYj1g/s1600/screenshot.77.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicxXScHU9f-TJ6rginU6RgzPNpIOK2Lhs0f7BVJIMf8qUJ_pMj6uuToEvnF_o_dFNe0pjjGMSqMgGwLLkVZl2pQSx9fWqbh5rjiity-4IroRUKtUzwrRoWIJXd-aflErKoBt28IQqOA7MV/s1600/screenshot.78.jpg)
- Applying john over u and passlist:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwL6QCXF0C3L0EaQKc215YlXrpuZGzeUJ9os3tkKGQJ7J979oRrdDj7rgvLU-WEVdLxThTzw7rd-XV0MbbXyGNKMiB4VXCT9riIxMFcZsEaa9xa8AzCLV8z5YvvvgF87ei2Ugd8kuK0XsL/s1600/screenshot.79.jpg)
6 - LIMITED REMOTE SHELL
- Connecting to craven's SSH we achieve a limited remote shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAUzxRNJA3CwDgyrfjFvKwUzX296rQ5TUlgo2R1muVJPYzQNJmyM51omkp2qmD_ymR1mXImzlQjjM2Ti13gXThLCE2ZTc2ggIeozG84cqtQYUwh43BTsLqiU8cyW1DUBIQxIFdfDIoTipe/s1600/screenshot.47.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZm0JTRlKDydpG3i0pREUzd-TAAd_Dl0oeX7nOw_d5-XkauYb2t4Vea6chBEI4v7xuCo_VVmMRWh-SyvkrQSs9a80IeUTDo135IBvWNwBxYY8RvbJrNcpXe4AQFMmGU8SsQeho6eYTxDAa/s1600/screenshot.48.jpg)
- There are two /home directories:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFXzmBxSjbOKpZ0AgXtQs1mv8WAuRAtaWrs11tBaIzb4Iy61ylVkFTVcWVCFB9RDIemTRonw17v5hDoTEKqJVmcMQxvU8EWbRBxkXzQ8dgua6sjZqNZ-L3J7V5_aDyaowenfGBHmsy4GR2/s400/screenshot.51.jpg)
- First, inside user craven's home directory we are able to find the 2nd flag:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz-ugStBEiLFS2psufc_LZZO-2hNSwDkZ4c0ZwUs1P0pVsWIFXZNQiwrutVbMdwYXazAeOMl6j4rRshmvsJsMYMKXwj9ifIXTMfoo3oU59jF-zwycYdo-j5BmlMu10yRNxR9P9rX4Lrull/s1600/screenshot.52.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXRi17bLpMugplMWPaOC34R8CuFiU4_bYzzCkLf7dnAIaoSUEsXvhLRzfMjtP8Qz6kim0h7e4ICvMgjYzHnJilc8YiyRoNSvLXqlvd8cXCAOuTu9QbMx7MmCI15uBtfppusCSHR9vUadic/s1600/screenshot.50.jpg)
- Then, going to /vulnhub we cannot open the 3rd flag:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1WooSnGUR_a32-aKxZehYdJWX2EPy9a8kXtsjKP6JtCpcuS0b5EARGvxJshig7wLVztHGjC35uFM59ksxZkljGQ-79it_uP_YN202p6i2f6Z_l5zc48mhiXpFRe0QYf2dV_B7L9S9Q7lM/s400/screenshot.54.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX3aYESHDsXbyn4znq-cdYHjPyPSDAXyqlui-YZ2KDeST7KCiF8RpArrqE0d2fZZMz8ZSPqc4xbI7B9054DCZIdrOCej-CZIvveOGg7SAsmBuComXQR9QtwzRocRCfynd4cTIf9NZGz4sr/s1600/screenshot.55.jpg)
- ./reader is an executable file that could help to open flag.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigz1E9ylEYmw5RU-Z7s_NvCkF27Mvy3ycfGpnTa4WHkSXlvzol5LMyzwI_UhWaKq8hz9RKoMKQyL7EBUSHAjgLNBKeUb3rsKwh6qcdACs7qcANV7GjEBA-rbcB4RSXaX5eJbXTBxmCK1Yh/s1600/screenshot.56.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho2NwTbIlTg5hdQdZtcxH6hfVp_ZX-8qYllxi9RQwdpc8XQi0nB-bn3Tp5ZmAQJjYDrmKgKF17UNS9PaDF0nJLREPL8-9jpmLHdsonBaKx7av0ma_5dhJMn87vrR192ul6AZ8e34wEIQcG/s400/screenshot.59.jpg)
- That is not possible at the moment:
- strings on reader gives us a clue about symlinks:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBc1DuhxAAeCOG5_n-TrhenCZjxQvwfEdpQYtw2s3f5WCVS9iJzWzmnNeklgatAeJC7anK0FlGzwx9mgYrE7aGQd9Xyo-agILn9yF6lZtYc9bsxOqSF82ngcJtXdCqH61Y16OdJa6CfX8p/s400/screenshot.90.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMFArHmRJjoQCQuE5ExD-QHY7owMY8KOtlcZx0ZhjkNDRFxKWTdffgyYwbkRSQa_CVq1rHDwknWvJktkefbs8oj2sBb5QjeKdo_wCFxCNIBWMMI9INRGZ9HJS0DF0HeZost4FKv63ZAwkz/s1600/screenshot.91.jpg)
7 - SYMLINKS
- Creating a soft link we cannot read the flag:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwST-82V8Uoe3QRs-IhlswGDbfZmBzdG7ki6PJJLhDDGXz-eNvFJ33FBEmj9zpCcpRPmtK736qiE8iXm3ZYj73f5-YR8Y-BzkEQqxQLcSwZx136HHrXIz6r8xhKWTRubn8tpVKYSQtGLwI/s400/screenshot.61.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA8vWQApu6Jp46lXQ3nQf2sZv9NwPEwVjXZrdeiXAKW1aSGsnz_ro3w5Gfn1aPW0w9ct8Xu8m2HKY11qm4osxnY10aEaKI-JTUNkCB_vFn2rKJL8Dc80OFyoZrx1lYPPTG8V7UfQ-JDov-/s400/screenshot.62.jpg)
- However, a hard link is accesible from ./reader and eventually we have the 3rd flag:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyMRgaQMmSrjOkKHYCmeQsqPJyROGVSyc2Q4rmPoWf4G4z9s9Pa-stG6KZxlKwxL3moojVAl5orM-Qo7AiIAq3_7CfGQYr3b0xvVOwxnOF0jNEJJeINcbQIeFeeKNZW65BQrqs6qPWKiRY/s400/screenshot.63.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5N4euPJSm_ADeuF_bqW_np58-gkDq3opcTRzmUV82sxmVWnsPcJ2LiALQ4b35vK11HuO3L2-RrlvNb30fytCUIxom_fInbt0InsM54_ZrzuxiqZXlNQVESSo9Xb5OW32DaWGHHutnC_W7/s1600/screenshot.64.jpg)