$ sudo su -
[sudo] password for user: *********
# nmap -v -sS -I 10.2.2.2
Starting Nmap 6.66BETA22
Initiating SYN Stealth Scan against 10.2.2.2
Scanning 1 hosts [1000 ports/host]
Completed SYN Stealth Scan at 22:44, 0.21s elapsed (1000 total ports)
Host 10.2.2.2 appears to be up ... good.
Interesting ports on 10.2.2.2:
PORT     STATE SERVICE
22/tcp   open  ssh

No exact OS matches for host
# sshnuke 10.2.2.2 -rootpw="Sn3aker$"
Connecting to 10.2.2.2:ssh ... successful.
Attempting to exploit SSHv1 CRC 32 ... successful.
Reseting root password to "Sn3aker$".
System open: Access Level (9)
# scp -p [email protected]:/encrypted/"*" .
[email protected]'s password: ********
swordfish.crypt                         100%  400KB  2.3MB/s   00:00
readme.nfo                              100%    1KB  8.2MB/s   00:00
# cat readme.nfo
Mess with the best, die like the rest.
# openssl enc -aes-256-cbc -d -in software.crypt -out swordfish.crypt
enter decryption password: ********
bad decrypt
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
# john --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.nfo swordfish.crypt
Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
Using default input encoding: UTF-8
Loaded 1337 password hashes with 1337 different salts (Raw-SHA256)
Proceeding with brute force...
No password matches found yet, trying more options... ^C
# fcrackzip -u -D -p /usr/share/wordlists/rockyou.nfo software.crypt
found file 'software.crypt', size: 409600 bytes, method: deflate
possible pw found: 'H4ckthePlan3t!' 
# openssl enc -aes-256-cbc -d -in software.crypt -out swordfish -k "H4ckthePlan3t!"
enter decryption password: 
Decryption successful
# ls
swordfish  readme.nfo  software.crypt
# file swordfish
swordfish: tar archive
# tar xzvf swordfish
extracted: HAL/
extracted: WOPR/
extracted: NSDD-145.tex
extracted: instructions.nfo

# cat instructions.nfo

> TOO MANY SECRETS