West Wild 1. Reconnaissance 1.1.Netdiscover Command Used: - sudo netdiscover - r 192.168.1.0/24 In our case ip is 192.168.1.42 1.2.Nmap Command Used: - nmap - sV - sC - T4 - Pn 192.168.1.42 2. Enumeration 2. 1.Smbclient As shown in nmap scan smb is running. So let's take a look at smb. Command Used: - smbclient - L //192.168.1.42 Now let's open wave. Command Used: - smbclient //192.168.1.42/wave We find 2 files FLAG1.txt & message_from_aveng.txt. FLAG1.txt contain : - RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0Kd XNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K Look like hash let's dehash it and we get : - Flag1{Welcome_T0_THE - W3ST - W1LD - B0rder} user:wavex password:door+open So w e get our First Flag: - Flag1{Welcome_T0_THE - W3ST - W1LD - B0rder} And id password for ssh login. message_from_aveng.txt contain: - 3. Exploitation 3.1.SSH Now we know ssh credentials so let's login. After login run find command to search executable file with permission. Command Used: - find / - writable - type d 2>/dev/null And we find ififoregt.sh in usr/share/av/westsidesecret Let's run file(./ififoregt.sh) And we find p assword for user: - aveng. Let's switch to aveng.(Command: - su aveng) Now we are in as aveng user. 4. Privilege Escalation Now we are aveng(confirm by running: - whoami) Now we run sudo - l to check if aveng can run anything by root permissions. Command used: - sudo – l User aveng can run all command with root permessions. So, let's Run sudo su (to get root user.). Command used: - sudo su And we GOT IT. We got #root shell. Now go to dir /root to capture la st Flag. We Got our last Flag: - Flag2{Weeeeeeeeeeeellco0o0om_T0_WestWild} West Wild has been Pwned. By Dhruv Gupta