It does not open on the website. Let's download it with wget.
When we examine the image with the "head" command, it appears with the PNG extension. If we search on Google to make this compatible with the “.jpg” extension, we can see that we need to edit it as follows.
Edited version:
Now we can open the edited version.
It gives us a hidden /directory.
When we go to the Directory, the following image appears.
We are given a "secret" value.
When we examine the source code, we can see that this value is between 0-99.
The usage of the Secret value is as follows:
10.10.206.120/th1s_1s_h1dd3n/?secret=1
İf secret value is between 0-99 we can create a wordlist quickly with crunch.
crunch 1 2 0123456789
1 is for minimum length
2 is for maximum length
0123456789 is for wordlist alphabet.
We can start the attack by payloading the wordlist we created to the burp suite.
We obtain the secret key. “/?secret=73”
We can extract the thm.jpg file with the phrase value we obtained.
When we decrypt it with Rot13, we see that the username is wbxre -> joker.
I tried logging into ssh with Phrase but of course it failed…
I didn't even try brute ssh. because it told us not to bruteforce ssh at note on the beginning of the machine.
Remember this picture on the machine page?
When we extract this picture with the empty phrase, we get the password of the joker.
Let’s login ssh
Joker cannot run sudo command.
Then let's run linpeas
We can see a SUID vulnerability in the Linpeas output that could be significant.
When we search on Google, we find an exploit.
https://www.exploit-db.com/exploits/41154
We save the file with nano and give it permission to run it.
