CyberTalents Shadower Machine Walkthrough, we will do
Scanning, enumeration, get a user shell, privilege escalation and Capture the Flag!!
identify open ports and services, we used nmap Aggressive scan (-A) on all ports (-p-) and speed up with (T4)
nmap -A -p- -T4 172.24.209.176 -oA shadower
Found Open ports: HTTP service on port 80 and SSH on port 22
Using dirb tool, We found index.php
browser it, and clicking available links and view pages source (CTRL+U)
Found interesting text: my0wns3cr3t.sec
It maybe a password or directory or a file!!
Try it as a path :
It is a long base64 encoded string:
Trying to decode it, it produces another base64 string, tried to decode the result multiple times but still produce another base64 string.
It is multi cyclic encoding, I tried to automate the process using python script:
encoded_text = “….ENCODED_STRING_HERE….”
temp = 
decoded = base64.b64decode(encoded_text)
encoded_text = decoded
Got a string: B100dyPa$$w0rd
Notice: remove the binary indicator character and the single quotes (b”)
Keep browsing other links, found LFI vulnerability and We can read passwd file!
Get a shell
we can see usernames for that box, user john seems to be the actual user.
let’s try to ssh for user john with the encoded result as password
We Got a user shell
upload linpease.sh script to enumerate for higher privileges paths.
just copy its content to a file, or you could get it from your local machine using scp, http server, ftp, .. or as you like.
chmod +x linpeas.sh
After reviewing the result, seems we can write to /etc/passwd !!
let’s inject our root user.
Root the machine
Create encrypted password using openssl
openssl passwd hackme
Create a user named hackme with the encrypted password we just created with id of (0) like the root id
echo hackme:1BQF1p1LiZUVQ:0:0:hackme:/root:/bin/bash >> /etc/passwd
Switch to the new user
We are root
uid=0(root) gid=0(root) groups=0(root)
Capture The Flag:
It’s time to win the prize, read the content of the flag file named root.txt in /root directory