Flag 3

Category

Subset of subset of hacking machines challenges

Challenge

Flag 3

We are given a URL - hackit.zh3r0.ml

Solution

Optional: Find IP address of the given domain using ping

Since it is a machine, begin with a full port scan

nmap -T4 -sC -sV -p- hackit.zh3r0.ml

Note: Not sure if I used the right [options], run nmap --help for better understanding and optimisation

This reveals all the open ports and services running on each port. Also notice that the services running are all mixed up.

22/tcp    open     http
25/tcp    filtered smtp
99/tcp    open     ssh
324/tcp   open     ftp
4994/tcp  open     unknown
11211/tcp filtered memcache

• Since http is running on port 22, it will be restricted by the browser and we will not be able to access it directly. There are two ways around this problem.
  1. Allow restricted ports in Firefox Browser
     • Go to about:config in Firefox address bar
     • Add a string with name and value as

        name  : network.security.ports.banned.override
        value : 22
       

     • Access http://hackit.zh3r0.ml:22/robots.txt
  2. Access the webpage through cURL or wget
     curl http://hackit.zh3r0.ml:22/robots.txt wget http://hackit.zh3r0.ml:22/robots.txt
• We get a string encoded in Base58 (know your bases :wink:) along with a hint for another flag (something to do with ads)
• Use https://gchq.github.io/CyberChef/ to decode the string to get another webpage /clue3349203.txt
• Visit http://hackit.zh3r0.ml:22/clue3349203.txt to see a JSFuck code
• Use http://codertab.com/JsUnFuck to decode the JSFuck code to get an Employee ID
• Connect with port 4994 and enter the Employee ID to get Flag 3
  nc 139.59.3.42 4994
Flag 3: zh3r0{y0ur_b0nu5_i5_p4id}