->jackofalltrades




User part :



-> Run Nmap Scan





-> we can see 2 open ports , so run version scan using Nmap. But got port 22 is http and 80 is ssh





-> i opened in browser and browser rejected the request





-> this blog helped me to bypass blocking by browser





-> the webpage look like





-> i got some base64 encoded string and a php file while checking sourcecode





-> the base64 encoded string contains a password





-> then i run gobuster for directory search and got a folder





-> the folder contains some images, i downloaded and checked





-> 1 file contains username and password. i tried with ssh but no success





-> recently i got a php file with base64 encoded string,so i went to that file, it is a login page. i tried with the above got credentials and logged in successfully





-> the page itself tells , you need to try with cmd in GET form





-> i tried with cmd and got command injection





-> then turned it into a shell





-> From the home directory i got some passwords, i need to bruteforce for correct password





-> i tried with hydra and got password





-> i got user shell





-> in user home directory , it contains only a image so i downloaded that file





-> it contains flag inside that image





Root Part :

-> i tried with SUID and i got strings command





-> so i run with string command to view root.txt and got root.txt