CyberSploit2 CTF Walkthrough

3 min readJul 17, 2020

Hello guys I’m back with another CTF walkthrough of CyberSploit2 it’s another machine of cybersploit series on vulnhub.

So let’s start with target discovery with netdiscover command

Here we got our target’s ip address ,which is 192.168.1.9. Now its time for namp port scanning

Two port are open here one is 80 for web interface and second port is 22 that is for ssh connection. Now as we can see that these services are not exploitable so have to do some enumeration on it ,Let’s start with port 80 web part.

Here is a website showing some information of its users with their password ,but wait here one username and password is not in the plain text it might be encrypted , So lets enumerate the source code

We got a hint here that is “ROT47” ,which is an encryption algorithm , Now i just copied those encrypted username and password and decoded them from online website. and we got username and password in plain text

So the username is “shailendra” and password is “cybersploit1” which is the name of its previous machine. It’s time for ssh connection with these credentials

As you can see we have file named as hint.txt and their is entry of docker in it. It means docker is going to help us in privilege escalation and the thing is i know how to do this. Here we have run a command that is

“docker run -v /etc/:/mnt -it alpine”

After running the above command from the normal user we got a root shell, but it’s not a proper root shell. If you see it we just mounted /etc folder in /mnt folder by which the passwd and shadow file is writable now.

Now we have to edit passwd file with new user with root privileges, but for that we have to give the hashed password with that user in passwd file ,So run the following command to generate the hash

“openssl passwd -1 -salt hack”