Post

Checkmate

Checkmate

Checkmate

Pasted image 20260604215132.png

πŸ” Hydra Brute Force

πŸ•΅οΈ I used Hydra and found the password: Pasted image 20260604215118.png

πŸ”‘ For the second password, it says: Pasted image 20260604220252.png

I tried these tags with the username marco: Pasted image 20260604220349.png

πŸ’‘ I found it. I tried manually first, but it is better to use a wordlist for this too:

innovation
excellence
security
digital
cloud
future
talent

Pasted image 20260604220429.png Pasted image 20260604220450.png

Pasted image 20260604223036.png

πŸ•΅οΈ Marco Profile Enumeration

πŸ“Œ It says to extract information from Marco’s personal profile. Logging in on port 5002 with the password we found: Pasted image 20260604220546.png You get this:

⚑ Wordlist Generation

πŸ’» So, I guessed I needed to generate a password list. I used https://github.com/Mebus/cupp: Pasted image 20260604222443.png

You will find that the question pattern of CUPP matches the profile structure, so we have a good shot: Pasted image 20260604222529.png As you can see, I already generated the wordlist:

1
hydra -l marco -P ./marco.txt -f -V -t4 -s 5003 10.48.165.68 http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials."

Pasted image 20260604222721.png It worked! Pasted image 20260604222806.png

πŸ”‘ Decrypting the Profile Picture Hash

πŸ› οΈ Now we need to get the image name hash and try to decrypt it. Log in using the credentials we found: Pasted image 20260604222939.png Pasted image 20260604223056.png You can open the profile picture in a new tab:

1
d34a569ab7aaa54dacd715ae64953455d86b768846cd0085ef4e9e7471489b7b

I used CrackStation to decrypt it:

Pasted image 20260604223211.png

Pasted image 20260604223352.png Well, then we need to use a custom wordlist again.

Pasted image 20260604223447.png

πŸ† SSH Access & Completion

πŸ”Œ As you can guess, CUPP isn’t suitable here, so we need to generate a wordlist according to the instructions. I added those keywords to a text file in Level 2:

1
2
3
4
5
6
7
8
y = [2024, 2025]

with open("keywords.txt") as f:
    for line in f:
        for year in y:
            with open("ssh.txt", "a") as f2:
                f2.write(f"{line.strip().capitalize()}{year}!\n")

And I made a simple Python script for it, which saves the output to ssh.txt. Then I used Hydra again for SSH: Pasted image 20260604225746.png We finished the challenge! Pasted image 20260604225832.png

This post is licensed under CC BY 4.0 by the author.