The Six of Diamonds

Security research, CTF writeups, and hacking adventures

📅 January 04, 2017 · đŸ‘€ gu4r15sm0 · 📁 metasploitable
đŸ·ïž metasploitable3 ctf cards

Metasploitable 3

The Six of Diamonds

Still using the same meterpreter session exploited in Elasticsearch we can use the search command to find cards if we know their names.

meterpreter > search -f *diamonds*

Found 6 results


    C:\jack_of_diamonds.png

    C:\Program Files\OpenSSH\home\Public\Pictures\ten_of_diamonds.png (406134 bytes)


    **C:\Users\Public\Pictures\ten_of_diamonds.png** (406134 bytes)

    **C:\inetpub\wwwroot\six_of_diamonds.zip** (384916 bytes)

    C:\vagrant\resources\flags\six_of_diamonds.zip (384916 bytes)

    C:\vagrant\resources\flags\ten_of_diamonds.png (406134 bytes)


```bash
meterpreter >



Looking at the path it seems the six_of_diamonds.zip file is probably on the main IIS website on port 80 so I downloaded it from there.


```bash
root@igor-kali:~# wget http://10.20.10.19/six_of_diamonds.zip

\--2016-12-09 23:37:15--  http://10.20.10.19/six_of_diamonds.zip

Connecting to 10.20.10.19:80
 connected.

HTTP request sent, awaiting response
 200 OK

Length: 384916 (376K) [application/x-zip-compressed]

Saving to: ‘six_of_diamonds.zip’

six_of_diamonds.zi 100%[================>] 375.89K  –.-KB/s    in 0.003s 

2016-12-09 23:37:15 (105 MB/s) - ‘six_of_diamonds.zip’ saved [384916/384916]

 I proceeded to use ‘unzip’ but it prompted me for a password, I tried a couple and failed, then I guessed the password. (tip: it’s always the same password)

root@igor-kali:~# unzip six_of_diamonds.zip

Archive:  six_of_diamonds.zip

[six_of_diamonds.zip] six_of_diamonds.png password:

password incorrect–reenter:

password incorrect–reenter:

 extracting: six_of_diamonds.png     

That’s a creepy looking dude

← Back to all posts