This was my first time attempting to hack a VM from HackMyVM, and my penetration testing background isn’t as strong as my forensics background, so I decided to start with an easy one. This is the “Gift” box created by sml.

On booting the the “Gift” virtual machine, the boot logs show what the IP address of the machine is.

The first thing I did to start was get some information through port scanning using nmap. I ran the following nmap command.

nmap -Pn – sV 192.168.56.111¹

From this, I found out that the machine was running two services: an SSH server and an HTTP server.

First I visited the HTTP server since that was unlikely to be password protected.

It just depicts a message telling me not to overthink it because it’s simple. There is nothing else interesting here, so all that was left to do was try the SSH server.

I wasn’t sure what username to try, but I figured it was safe to try root as the user. As for the password, I was a bit stuck. Despite the previous warning to not overthink it, I’m afraid I did overthink this quite a bit. The only hint was the text on the web page from earlier, so I knew it had something to do with that. I noticed the capitalization of every first letter and thought it might have been “DORI”. Then just for kicks, I tried “DORIS”, and several combinations of changing the case of the letters. None of that worked, and even though in hindsight I now see that the answer was practically screaming at me, I didn’t see it for a while. So I took to Hydra to just crack the password the old-fashioned way using the “rockyou.txt” password list.

hydra -f -v -l “root” -P “rockyou.txt” ssh://192.168.56.111²

This got me the password. And just as the webpage said, it really was simple.

Once I logged into the SSH server, I was able to find the root and user flags.

Footnotes

1. Nmap is a port scanning program.
   The command here uses two flags: -Pn and -sV
   The -Pn flag (no ping) skips the initial ping phase of the scan and just starts immediately scanning ports.
   The -sV flag (service version) shows the version for services found during the scan. ↩︎
2. Hydra is a password brute-forcing tool.
   I used four flags when running this: -f, -v, -l and -P
   The -f flag tells the program to stop running as soon as it finds a single valid password.
   The -v (lowercase) flag puts the program in lower verbosity mode, which just makes the program display updates on the terminal as it runs.
   The -l flag (lowercase) tells the program you’re about to enter a single username to check (a capital L would allow a username list)
   The -P flag (uppercase) tells the program you’re about to input a password list for it to check (a lowercase p would allow for just a single password) ↩︎