# CyberHeroes

## Nmap

```
nmap 10.10.150.136 -p- -sS -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.48 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

With only port 80 open we browse to the root page for CyberHeros.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FzGkWEyvR170G7H4703fH%2Fimage.png?alt=media\&token=c57cf152-b7a2-4ea0-9ea9-25d98a2f7db8)

Running the web site through ZAP proxy with attack mode enabled reveals several pages. Viewing the response results for /login.html reveals a potential user name and password. We see the password is assigned the value [#undefined](#undefined "mention")[#undefined](#undefined "mention")RevereString".

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FQFiXYUT1PAjORPMyncma%2Fimage.png?alt=media\&token=601afafc-8463-4dec-81d8-4c69ef6d2cba)

Using the command line we are able to reverse the string.

```bash
echo "<Password>" | rev
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fh5aGdupTeqnhS1LRACSX%2Fimage.png?alt=media\&token=e45c037c-c579-4973-b11f-e08e1568dc0e)

To reveal the correct password for the user h3ck3rBoi where, we can then grab the room flag.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fj2ptVhVyNdYtJRe0YWRb%2Fimage.png?alt=media\&token=88a81c2c-71dd-4fef-a856-653ff1749613)