Click here if you’re interested in the room!
This guide is meant to be used as a supplement for learning, please tackle this on your own before reading this!
- What is the name of the large cartoon avatar holding a sniper on the forum?
- When you’ve logged in, what page do you get redirected to?
- In the users table, what is the hashed password?
- What was the username associated with the hashed password?
- What was the other table name?
- What is the de-hashed password?
- What is the user flag?
- How many TCP sockets are running?
- What is the name of the exposed CMS?
- What is the CMS version?
- What is the root flag?
1) What is the name of the large cartoon avatar holding a sniper on the forum?
Using reverse image search:
1
Agent 47
2) When you’ve logged in, what page do you get redirected to?
1
portal.php
3) In the users table, what is the hashed password?
First we intercept the BurpSuite request and save it and then use SQLmap to dump the database.
1
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
4) What was the username associated with the hashed password?
1
agent47
5) What was the other table name?
1
post
6) What is the de-hashed password?
Using Hash-Identifier we can see that it SHA-256 or HAVAL-256
Then, using John to crack the password:
1
videogamer124
7) What is the user flag?
SSH into the machine using found credentials:
1
2
login: agent47
password: videogamer124
1
649ac17b1480ac13ef1e4fa579dac95c
8) How many TCP sockets are running?
1
ss -tulpn | grep tcp
ANSWER:
1
5
9) What is the name of the exposed CMS?
1
Webmin
10) What is the CMS version?
Logging in using previous credentials we can see the answer is:
1
1.580
11) What is the root flag?
1
searchsploit webmin 1.580 -w
Corresponding: CVE-2012-2982
Set RHOSTS, USERNAME, PASSWORD as needed, SSL to false.
Set payload to cmd/unix/reverse then LHOST
1
a4b945830144bdd71908d12d902adeee