Boot2User
At this stage, we will scan the network and find the ip address of the machine.
![](../img/post1/image1.png)
arp-scan -l
As we see this is 192.168.2.102. Next we will see open ports.
![](../img/post1/image2.png)
nmap 192.168.2.102
Open ssh and apache, so let's check the web page.
![](../img/post1/image3.png)
Now let's find something interesting.
nikto -h 192.168.2.102 -p 80
![](../img/post1/image4.png)
In directory /img/ nikto found an interesting file called flaghost.png. After scanning the image through exiftool, I get a new directory names, in which I find the file "flag2.txt"
192.168.2.102/passw@45/
![](../img/post1/image5.png)
![](../img/post1/image6.png)
After decrypting a mysterious file that is encrypted with the Brainfuck cipher, I received data for ssh authorization.
web:Hacker@4514
![](../img/post1/image7.png)
In home directory I found a flag.
![](../img/post1/image8.png)
Boot2R00t
Using following command i see that I can run awk using root privileges.
![](../img/post1/image9.png)
sudo -l
Now i get root using awk.
![](../img/post1/image10.png)
sudo /usr/bin/awk 'BEGIN {system("/bin/sh")}'
The all. Thanks Rahul Gehlaut for CTF.