1. nmap scan for the IP address. Then, we do a full scan for ports.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3g0hBlUTG2PgMv76o4zzVqibv0EbGu5wNJN69QNgG0Cmo57RZTRjXpXTFzQwouj7-pQD-u0mQEj6aAghf0FgZqFrgjxAVT5U5Tb6ev2Y_oGyPHEjpxqhUvqTzd4wXaZ_I_o4sSzPk1MNk/s400/screenshot1.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtoYJOl46fYaU7kcl6q4W1FxjzxMBoLDiN_tshgI66p1MRu2WsXmDoDvP43Fh3ALn2gZI8V50CixTLWdFlM6jvQDGhBola47buIUpJ2NHXr35nLxL4zciLLfDWKHZRmzTyzOf7h-EClMGs/s400/screenshot2.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh2VRTWgJNMBy1WrNQ6-hpffhYaYjcUhrpE4jMwqeLAp8zNZtbjg3TB7yCJta26y5jGxmAYas4MAO92pBFPnPENLp0wP5_0R0oCaaCeTm2TczzpIjl_it_vY52oOJHbqHL-GA-7i8wvBAI/s400/screenshot4.png)
2. Looks like we have ssh and python using SimpleHTTPServer module servicing the server.
I took a look at port 31337 using Firefox and Burp. It gives a page that is all black except
wherever your mouse lands. I have to say the effects were very cool. Let’s look at the page source.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQh0LC3lS5hUNPCDVdqkto4vY6Ppcii8OToO9JXztOVBCst-JaxcPpQ9_jOzHcwJbr0Houx_5FR-AQDhFOIaMsFXDrFpGVmfGRx3oPbszOSr0ImeESPSRSVSHvO4QBQre1Gkp2II9RIIPr/s640/screenshot5.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3g0hBlUTG2PgMv76o4zzVqibv0EbGu5wNJN69QNgG0Cmo57RZTRjXpXTFzQwouj7-pQD-u0mQEj6aAghf0FgZqFrgjxAVT5U5Tb6ev2Y_oGyPHEjpxqhUvqTzd4wXaZ_I_o4sSzPk1MNk/s400/screenshot1.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtoYJOl46fYaU7kcl6q4W1FxjzxMBoLDiN_tshgI66p1MRu2WsXmDoDvP43Fh3ALn2gZI8V50CixTLWdFlM6jvQDGhBola47buIUpJ2NHXr35nLxL4zciLLfDWKHZRmzTyzOf7h-EClMGs/s400/screenshot2.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh2VRTWgJNMBy1WrNQ6-hpffhYaYjcUhrpE4jMwqeLAp8zNZtbjg3TB7yCJta26y5jGxmAYas4MAO92pBFPnPENLp0wP5_0R0oCaaCeTm2TczzpIjl_it_vY52oOJHbqHL-GA-7i8wvBAI/s400/screenshot4.png)
2. Looks like we have ssh and python using SimpleHTTPServer module servicing the server.
I took a look at port 31337 using Firefox and Burp. It gives a page that is all black except
wherever your mouse lands. I have to say the effects were very cool. Let’s look at the page source.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQh0LC3lS5hUNPCDVdqkto4vY6Ppcii8OToO9JXztOVBCst-JaxcPpQ9_jOzHcwJbr0Houx_5FR-AQDhFOIaMsFXDrFpGVmfGRx3oPbszOSr0ImeESPSRSVSHvO4QBQre1Gkp2II9RIIPr/s640/screenshot5.png)
3. There seems to be something to look at.
<!-- key_is_h1dd3n.jpg -->
Let’s try to browse for it.
4. After having a little bit of nostalgia of watching Sneakers, I downloaded the jpeg. Maybe there is something there. I can check using the commands (strings, file, exif, steghide, etc).
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA37H8pflm4NPE4hmEbmsJoOfcc54Py70ln1J092aJ_k_D8wLBLAX74FHLXXI7OwcyZtsTxaSWSjbUJ5hNhoCOgGeFAjQ4leARF4HIt1gi5L3pXiWS5BT60Dsjhj_THCr8mRC2_kE8cBXk/s640/screenshot7.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA37H8pflm4NPE4hmEbmsJoOfcc54Py70ln1J092aJ_k_D8wLBLAX74FHLXXI7OwcyZtsTxaSWSjbUJ5hNhoCOgGeFAjQ4leARF4HIt1gi5L3pXiWS5BT60Dsjhj_THCr8mRC2_kE8cBXk/s640/screenshot7.png)
5. Using steghide, I used “h1dd3n” as the passphrase. It did hint that it was the key. It gave a text file called h1dd3n.txt.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirYb9G4v5x_PLNRCz9Rrl_dwQJNT1YlxZ7sMQaQKDbUrlIvSuwYlqlYCgIyhjYjG-q_mnbe0HRxZNDlhoksT9tHVl7UmsDw-kpcFAkKqWmfUg07iYYovUpKrCXFgFjOf7RYXb4HsG74kN-/s640/screenshot8.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirYb9G4v5x_PLNRCz9Rrl_dwQJNT1YlxZ7sMQaQKDbUrlIvSuwYlqlYCgIyhjYjG-q_mnbe0HRxZNDlhoksT9tHVl7UmsDw-kpcFAkKqWmfUg07iYYovUpKrCXFgFjOf7RYXb4HsG74kN-/s640/screenshot8.png)
6. Well, I recognize those strings from previous CTF’s. Time to go to https://copy.sh/brainfuck
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFZVUIGDSlinG6Fv0aOHTmxxgVR8ufQTKxLGSbJd0ykxyrnSP7awAVVJM5Kie0HrPrEyduDlyj0IjlhkCe_fruh6YSE0ZVb_5GK4tLWI3FdOPDFqO-RZcZC_0wdOVLza6CGmKFopp8XmCa/s400/screenshot9.png)
7. Well, we have what seems to be a username and password. We did see the service SSH on port 1337.
Let’s try to use: ud64:1M!#64@ud
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBm2BbESLQGhhpq0l-GQTWMZwTTMOT450boi8TSpO55Qnr2w_xwu683nc5FndWWWHS5Ag5-8lqr4xkHXJv1Fb_wZvDMxUNfza5-58ODRRUa9NSJ-9Da_cKoIjbOg-VfrZ2ibgD_8znQUEh/s640/screenshot10.png)
8. We have a login but… with a limited/restricted shell. There’s a trick, for that:
https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=9
10. Let’s do some digging and find out about this server. Run the usual commands (id, uname, ls, etc)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRRW5BA8KlzPjnLVlHj_hbGiEw-KLVJH41PS0y_pKhHsxLaNkGpeepVaV-KGkYfwsDfcKjt0dZpWD2_B6aJ9_X193_Z3FraLP579lTa-JOExd2hN63ExSoki3HyQgg_uDrWitvvsTKjMPA/s640/screenshot13.png)
11. After looking around for a couple of minutes, thought to find out about sudo.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigblSXhsY9dSOLZvEcdmw9USsdTJ3Ltad13LiWZf6tETIKv1-h3-2AZCzPDEbHnv4Fq_4lCl5DLhgqMi5etINHg8r2NiTUN5oLTk8yJSucB4Pc1WWhBpPFdx8CH331GiYaozl4IbBsHNZP/s640/screenshot14.png)
12. What the heck is that file.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTafSaFEZoPNGgRR-4Oxq7HEBC_ukPxiYFr2dHZcy7xvn7fzzfIVjJPNthRvFj4slSYDRnq20wmJVWHavcmeABxi9RxU86Pshr07Oncvz2Cg-NxwnCJDfTzIRRkVjuJLHaDB8_SN-A5OE5/s640/screenshot15.png)
13. Oh, so this is just strace command. Maybe it was just renamed. Anyway, I just kept playing with the command in order to get root or view root level files.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0QMJk9BatRFlH1Njg5gLlz9cWSjyS9WZzXe4nQTDSTrqNdqlrU2uOHbktFuBsHCQSVGYGFJAvXjh1lZMuDRL4Ipz88l27ZJgABv6zBa3sUtrSZvYaqHmVxAnhZ69tboG_k6U8cT8rIz7x/s640/screenshot16.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0QMJk9BatRFlH1Njg5gLlz9cWSjyS9WZzXe4nQTDSTrqNdqlrU2uOHbktFuBsHCQSVGYGFJAvXjh1lZMuDRL4Ipz88l27ZJgABv6zBa3sUtrSZvYaqHmVxAnhZ69tboG_k6U8cT8rIz7x/s640/screenshot16.png)
14. Looks like you can view the contexts of /root. There is a flag.txt file there. Let’s see if we can view it.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQaCFWi-3_bsS8IUk6pUiy1zvKdNLzldlVFhgiIRYnGMFmwsv-CNhHmGX70tDkjEJSpTZxLe19j2mDEjl61gYCFF905Byyg-_WIa6iGlrnfEKo256eGKzMgxQi952FYriIXH7RJTxMbNbC/s640/screenshot17.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXhBkSEIchpXeKik11km9ZbJ6ejdfZYyxuTHriktifHZ4SkUuiP4wj-pXb4D7WxgGdrfwBaz0El5aS2b4Kf0rqEhopU3bT4J6DZifyHPOSY7UIhUbXq7SZqvxTC0lPC98ZA8onf28K0OUq/s640/screenshot18.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgF3bLqnndoYpXdqrd1bFYMAMK4K1aW8S4iZDHtFrBNn4RpF5mH1rpsAABPh-TKVXiy8Guxj7eiJ4iqzeZal4DbemLLbx2owiylvo0k7Y2q4_mvcYA2KM5BN456R3WP2NkEP_crzv78ld3/s640/screenshot19.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQaCFWi-3_bsS8IUk6pUiy1zvKdNLzldlVFhgiIRYnGMFmwsv-CNhHmGX70tDkjEJSpTZxLe19j2mDEjl61gYCFF905Byyg-_WIa6iGlrnfEKo256eGKzMgxQi952FYriIXH7RJTxMbNbC/s640/screenshot17.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXhBkSEIchpXeKik11km9ZbJ6ejdfZYyxuTHriktifHZ4SkUuiP4wj-pXb4D7WxgGdrfwBaz0El5aS2b4Kf0rqEhopU3bT4J6DZifyHPOSY7UIhUbXq7SZqvxTC0lPC98ZA8onf28K0OUq/s640/screenshot18.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgF3bLqnndoYpXdqrd1bFYMAMK4K1aW8S4iZDHtFrBNn4RpF5mH1rpsAABPh-TKVXiy8Guxj7eiJ4iqzeZal4DbemLLbx2owiylvo0k7Y2q4_mvcYA2KM5BN456R3WP2NkEP_crzv78ld3/s640/screenshot19.png)
https://news.ycombinator.com/item?id=5277241
sudo /usr/bin/sysud64 -fe execve sudo -s
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqAHNxRMxrr00Ai8bV2zRVG2155d5sL4JX5OEy8lYgsNyAPvOKK-EGiXP2_iE79ALdsRAVti9gEoOz3jcZkWtSUkxKG0BdPXdPoX8L7FTLd6w3bkJiSzdiKKeg5LeerpNsXIBVQzh5SA96/s640/screenshot20.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7AscKyQe8rMY9YJWH1viqp25aomDifXzwo6eHiNNRATKucoKJgZ9ctNibGIXMlHB6KW_04OS9GFxbP4_8GWCmzUNEJWZk0bS94Z5-Dm_n0U9612NkW5cX0Oixn3pB0u16J2d2iEWd91w1/s640/screenshot21.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPg4LqtaJa-9sQDVLuov-WgBnj-2BXTYtOKyuK9JetqPfb0ss3PybvSRifc3bRwFB8yVlsGAcYHYC3RwRjJ0YjX8U_LXl9TA4fHMCPkxl3W2rmjC0CmtMCwDiXsJPv-v_liAoxbt7u6t2o/s640/screenshot22.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbCq5NXjRl6NqO07BAli5e-py6VA13Voas9cNnpV_ybX_i0l3G_1q8etsIOyKwRHQ9htZq8tmpGoKqS55L1CgEBVXUSy51bAgHHBqm3_cRQta6KHTUtpNe1M9yVweyLppuf6rigTPQjIGD/s640/screenshot23.png)
If the wheel is completely balanced, clean, and fair, a spun ball is equally doubtless to|prone to} land in any of the slots. However, imperfections in a wheel may cause some numbers SM카지노 to win more often than other numbers. Learn to play casino video games by clicking on the links below.
ReplyDelete