Today we hunt on another vulnhub machine named CyberSploit1. The machine is available in public domain.
We start our hunting with reconnaissance, by using nmap tool and we found port 22 and 80 are open.
Since port 22 is open, with the help of browser we just find out what's on the page!
Its a jackpot.!! We found some username and passwords. We need to check the source code whether to ensure these credentials are correct or not, but instead of that we found a interesting statement "</........ROT47......>
We go back to the home page to check again those usernames and passwords and found a fishy entry
So we come to an end that these to credentials are ROT47 and need to convert back to plaintext. With the help of decode.fr (website that can be used to covert encoded data back into plaintext.
RAT47 Plaintext
D92:=6?5C2 shailendra
4J36CDA=@:E` cybersploit1
Now we have two valid credentials and port 22 is open we can take ssh connection
We got ssh connection and just found a file named hint.txt. When we opened the file we found a text named docker.
So with the help of docker we can do privilege escalation. From GTFobins we found a docker file with shell command, with that shell command we do privilege escalation.
Finally we become root and just found the flag.!!!
ROOTED..!!!!
Comments