# HackMyVM-Twisted ## NMAP ``` Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-12 09:38 PKT Nmap scan report for 192.168.1.66 Host is up (0.00018s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 67:63:a0:c9:8b:7a:f3:42:ac:49:ab:a6:a7:3f:fc:ee (RSA) | 256 8c:ce:87:47:f8:b8:1a:1a:78:e5:b7:ce:74:d7:f5:db (ECDSA) |_ 256 92:94:66:0b:92:d3:cf:7e:ff:e8:bf:3c:7b:41:b7:5a (ED25519) MAC Address: 08:00:27:72:46:36 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds ``` ## PORT 80 On the web page we see two images and one hinting being different so this means there is some stegnography invloved

I ran`stegcracker` on both the images and found two messages

In `markus` directory we see a note which tells about bonita's ssh private key.

Going to web directory we find a `gogo.wav` file so let's download it to our machine and analyze it !

I uploaded this file as it was a morse code so analyzed it through online morese code analyzer and it was a rabbithole

So only option left for me was to run linpeas.

I found that there was a capaiblity set on `tail` which is like a SUID.So id_rsa that we found for `bonita` we cannot read it but we can read it through tail command. Tail will print the last ten lines of a file so we need to specify to print last 30 or 40 lines so we can get the whole id_rsa key

There is a SUID binary but when running it says WRONG CODE so let's transfer it to our machine and analyze the binary

So using ghidra I saw that it is comparing variable with a hex value 0x16f8

Convert the hex value to decimal value