Lets solve the BaseMe machine from hackmyvm.
Lets start from nmap scanning.
To enumerate the web I used gobuester, but it only shows index.html.
I visited the website in the browser and in page source I got something.
The very first line is the base64 encoded, which when decoded shows.
ALL, absolutely ALL that you need is in BASE64.
Including the password that you need :)
Remember, BASE64 has the answer to all your questions.
-lucas
So this means that whatever we are going to enumerate, we need to encode and decode it to base64 and then try that.
Lets start with running gibuster again, but this time using a base64 encoded word-list. I tried couple of lists from Seclists and common.txt worked for me.
while read line;do echo $line | base64 >> common_b64_list;done < /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
I visited the first one in the browser and it downloaded the file.
Its look like base64 encoded, lets decode it back.It is SSH private key.
We also have potential username “lucas”. Port 22 is open lets try this.
When I tried to login, it says password required, I changed the permission and tried again but now it shows passphrase required.
If you remember, we have a list of word with us which we got from html page source. I tried those but I failed to get access. Then I encoded those to base64 and one of these worked for me.
For privilege escalation, I checked the suid files but no luck with that. Then I use sudo -l command to list sudo command/s that user lucas can run on system and it gives me:
Lets try to read the id_rsa file of root user and will use that to do ssh on localhost as root user.