# Proving grounds Play: Vegeta1 Proving grounds Play - Vegeta1 CTF writeup. ### Nmap ```sh PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 1f3130673f08302e6daee3209ebd6bba (RSA) | 256 7d8855a86f56c805a47382dcd8db4759 (ECDSA) |_ 256 ccdede4e84a891f51ad6d2a62e9e1ce0 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Site doesn't have a title (text/html). | http-methods: |_ Supported Methods: HEAD GET POST OPTIONS |_http-server-header: Apache/2.4.38 (Debian) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### Web PORT: 80 ![img](/files/EpwZQOpb1dRGOtvnS04A) ### Directory Fuzzing Upon fuzzing for directories the robots.txt file revealed a directory named `/find_me`. There is a hidden base64 text present in the index file. ![img](/files/SdtlkpRKHoe6Ca0sSQYH) Upon decoding the text twice in base64 format using cyberchef revealed that the decoded data is a image. ![img](/files/4U0KwVcHYOj2STqBXO8j) Download the image and check for informations in it's meta data. After checking the file it was found to be a QR code image, use the online decoders to extract information. ![img](/files/kkxWiJQL2LkIBnlslcZl) It has password but we don't have a username to login. More directory fuzzing... After doing more fuzzing the directory `/bulma/` has been discovered and it contains a `.wav` file which is a morse code. Use the online morse code decoder as in audio format and the extracted information is the username and password for the SSH login. ![img](/files/JJS27EnM653nZl6oZwca) Login to the attacking machine using the credentials `trunks:u$3r` **Initial Foothold obtained** ### Privilege Escalation Check the `bash_history` file, the history shows the user added a new user `Tom` to the system, which means the user has write permission on `/etc/passwd` file. ![img](/files/l3qM5urADBHemR74s0iK) check the `/etc/password` file to ensure the user has write permissions. ```sh trunks@Vegeta:~$ ls -al /etc/passwd -rw-r--r-- 1 trunks root 1539 Sep 21 08:28 /etc/passwd trunks@Vegeta:~$ ``` After checking the /etc/passwd file there are no entries for the user `Tom`. So add the user to the `/etc/passwd` file as shown in the history file. And copy the hash and crack it using john in the local machine. Switch to user `Tom` using password `Password`. ![img](/files/tzvPWkdu7msRSwNCS5kF) **Root Obtained** Thanks for reading! For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-09-21-proving_grounds_play-vegeta1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.