$ sudo su - [sudo] password for user: ********* # nmap -v -sS -I 10.2.2.2 Starting Nmap 6.66BETA22 Initiating SYN Stealth Scan against 10.2.2.2 Scanning 1 hosts [1000 ports/host] Completed SYN Stealth Scan at 22:44, 0.21s elapsed (1000 total ports) Host 10.2.2.2 appears to be up ... good. Interesting ports on 10.2.2.2: PORT STATE SERVICE 22/tcp open ssh No exact OS matches for host # sshnuke 10.2.2.2 -rootpw="Sn3aker$" Connecting to 10.2.2.2:ssh ... successful. Attempting to exploit SSHv1 CRC 32 ... successful. Reseting root password to "Sn3aker$". System open: Access Level (9) # scp -p [email protected]:/encrypted/"*" . [email protected]'s password: ******** swordfish.crypt 100% 400KB 2.3MB/s 00:00 readme.nfo 100% 1KB 8.2MB/s 00:00 # cat readme.nfo Mess with the best, die like the rest. # openssl enc -aes-256-cbc -d -in software.crypt -out swordfish.crypt enter decryption password: ******** bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt # john --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.nfo swordfish.crypt Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x]) Press 'q' or Ctrl-C to abort, almost any other key for status Using default input encoding: UTF-8 Loaded 1337 password hashes with 1337 different salts (Raw-SHA256) Proceeding with brute force... No password matches found yet, trying more options... ^C # fcrackzip -u -D -p /usr/share/wordlists/rockyou.nfo software.crypt found file 'software.crypt', size: 409600 bytes, method: deflate possible pw found: 'H4ckthePlan3t!' # openssl enc -aes-256-cbc -d -in software.crypt -out swordfish -k "H4ckthePlan3t!" enter decryption password: Decryption successful # ls swordfish readme.nfo software.crypt # file swordfish swordfish: tar archive # tar xzvf swordfish extracted: HAL/ extracted: WOPR/ extracted: NSDD-145.tex extracted: instructions.nfo # cat instructions.nfo > TOO MANY SECRETS