Proving grounds Play: Vegeta1

- 2 mins


22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1f3130673f08302e6daee3209ebd6bba (RSA)
|   256 7d8855a86f56c805a47382dcd8db4759 (ECDSA)
|_  256 ccdede4e84a891f51ad6d2a62e9e1ce0 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web PORT: 80


Directory Fuzzing

Upon fuzzing for directories the robots.txt file revealed a directory named /find_me.

There is a hidden base64 text present in the index file.


Upon decoding the text twice in base64 format using cyberchef revealed that the decoded data is a image.


Download the image and check for informations in it’s meta data. After checking the file it was found to be a QR code image, use the online decoders to extract information.


It has password but we don’t have a username to login. More directory fuzzing…

After doing more fuzzing the directory /bulma/ has been discovered and it contains a .wav file which is a morse code.

Use the online morse code decoder as in audio format and the extracted information is the username and password for the SSH login.


Login to the attacking machine using the credentials trunks:u$3r

Initial Foothold obtained

Privilege Escalation

Check the bash_history file, the history shows the user added a new user Tom to the system, which means the user has write permission on /etc/passwd file.


check the /etc/password file to ensure the user has write permissions.

trunks@Vegeta:~$ ls -al /etc/passwd
-rw-r--r-- 1 trunks root 1539 Sep 21 08:28 /etc/passwd

After checking the /etc/passwd file there are no entries for the user Tom. So add the user to the /etc/passwd file as shown in the history file. And copy the hash and crack it using john in the local machine.

Switch to user Tom using password Password.


Root Obtained

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.

Naveen J

Naveen J

Security Researcher | Appsec Specialist@SISA Information Security | Web 3 Security Enthusiast