mhz_c1f Walkthrough

We start scanning the target with nmap –A –T4 –p- –vv

Scanning with dirb –X .txt

Let’s visit this link

We got another two files, rem.txt and rem2.txt, the rem2.txt is not available but rem.txt is working fine:

We got a username and password that worked with ssh login first_stage:flagitifyoucan1234

The catch the user flag:

Then, there is another user mhz_c1f and there ia a directory Paintings where there are 4 jpg files, im going to transfer them to my machine scp /home/mhz_c1f/Paintings/* root@

I used steghide command to take a look at the four picture and i found one of them has an embedded file inside of it, the file is rem2.txt inside the photo “spinning the wool.jpg”

steghide –info spinning the wool.jpg

steghide extract –sf spinning the wool.jpg

And we got the text file with username and password mhz_c1f:1@ec1f

Now we login with these credentials:

Ok now we can run any command as root so let’s try this one

sudo more /etc/passwd


And then we are root

Now go to /root and catch the flag its a hidden file .root.txt

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s