Ok so let’s get started by a simple nmap scan.
nmap -sC -sV -oN <file_name> <ip_address>
we have the standard port 80 and 22 for http and SSH. So lets first inspect the apache server.
We find a ‘thm.jpg’… Lets download it.
Ahhh! after seeing this i guessed what’s wrong with the image … The image has misconfigured header, after fixing that we get a hidden directory.
Lets have look at the hidden directory …
So it say wrong secret!!!! Lets try with secret=1.
Peeking into the source code we find the secret is a number between 0–99. So we have to bruteforce the ‘secret’ parameter .
As usual i bruteforced it using burp suit .
We find a diffrent length request than the rest…. It can be a possible correct secret.
huh ! bruteforce successful…
Now we have a password. But we don’t know what this password is for…… At this point i was not so sure what to do next . Since this is steganography based box i tried to decipher the “thm.jpg” image.
A cipher text username….. decoding it with rot13 we get the actual username. At this point we have a password and a username i tried to SSH in with this credentials . which failed….
Honestly, at this point i got stuck for too long. And i ended up deciphering the image in tryhackme Madness page.
deciphering this image we get another password .
i tried to SSH in ….
Hmm…. we got the “user.txt” flag…..
From my previous experience i investigated all the binary with SUID bit set using.
find / -type f -perm -4000 2>/dev/null
i noticed a screen-4.5.0 bin ….Suspicious.
After googling screen 4.5.0 exploit, i found a valid exploit. Downloaded it into /tmp dir and after running it .
I got root….
Traversing into the /root directory i got the “root.txt” flag …