• Configure proxy settings.
  • Use rsync service to synchronize the directory.
  • Decrypt files obtained from rsync service ( encfs encoded )
  • Access the cache manager to get information regarding hosts.
  • Use XPath injection to get credentials
  • SSH tunneling to access pihole HTTP service and CVE for exploit.

Nmap Scan

22/tcp    open     ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0
)873/tcp open rsync (protocol version 31)
3128/tcp open http-proxy Squid http proxy 4.6

Squid Proxy: port 3128

  • Directory busting to get the admin portal and todo.txt file.
  • Brute force password.
  • Exploit the file upload vulnerability to get the shell.
  • Enumerate the machine to escalate privilege.
  • Find exploits to bypass the restricted ability.


# nmap -T4 -p- -A -o nmap Nmap scan report for Host is up (0.16s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: Blunder |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Blunder | A blunder of interesting facts Aggressive OS guesses: HP P2000 G3 NAS…

Nmap Scan

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 60:b6:ad:4c:3e:f9:d2:ec:8b:cd:3b:45:a5:ac:5f:83 (RSA)
| 256 6f:9a:be:df:fc:95:a2:31:8f:db:e5:a2:da:8a:0c:3c (ECDSA)
|_ 256 e6:98:52:49:cf:f2:b8:65:d7:41:1c:83:2e:94:24:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Proving Grounds
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Task 1


1. Mobile One

$ find . | xargs grep “flag{“ 2>/dev/null
./res/values/strings.xml: <string name=”flag”>flag{strings_grep_and_more_strings}</string>
Binary file ./mobile_one.apk matches

2. Pinocchio

Roshan Guragain

Infosec Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store