This room is pretty neat. The initial part got me looking for exploits that did not exist, and getting to the last flag was fun. I liked how a misconfiguration allows getting the root flag in multiple ways. One without even requiring a root shell.

sudo nmap -sS -sV -sC -p- -vv -oA scan 10.10.77.137

Output

# Nmap 7.91 scan initiated Mon Jul 26 23:28:56 2021 as: nmap -sS -sV -sC -p- -vv -oA scan 10.10.77.137
Nmap scan report for 10.10.77.137
Host is up, received echo-reply ttl 63 (0.16s latency).
Scanned at 2021-07-26 23:28:56 EDT for 468s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT…

RootMe is a great machine for beginners. It is fun, easy, and teaches some important techniques like the use of reverse php shells and privilege escalation through binaries.

Reconnaissance

We begin by doing a nmap scan on our target, in order to identify running services, ports, and to get a better general idea of what we are fighting.

sudo nmap -sV -p-  10.10.120.43 -vv -oA scan
# Nmap 7.91 scan initiated Thu Jul 22 17:56:41 2021 as: nmap -sV -p- -vv -oA scan 10.10.120.43
Nmap scan report for 10.10.120.43
Host is up, received reset ttl…

You can find all the tools used in this room and much more here.

Photo by Brett Sayles from Pexels

TIP-OFF

What username does the attacker go by?

As we start the room, we are told the story of the misfortuned hack OSINT Dojo suffered, for which the only evidence left is a note created by the attacker. We can take a look at the image right here. As we’re told, all files hide precious information called metadata, and images are no exception. Therefore, we should start by taking a look at the bowels of this one.

The first step to analyze the image is to download…

Salvador Rodríguez

InfoSec student, OSINT practitioner

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store