Deathnote is a themed box (Death Note anime) with two crypto puzzles back to back — brainfuck for the first user and WAV-file steganography for the second. The cipher chains are the memorable part. About 90 minutes total, with most of that spent figuring out the WAV file decode order in CyberChef.
01_Reconnaissance
SSH 22 + HTTP 80. The HTTP page redirects to deathnote.vuln — add to /etc/hosts. WordPress install at the root.
$ nmap -sV 192.168.1.21 22/tcp open ssh 80/tcp open http Apache (WordPress) $ echo "192.168.1.21 deathnote.vuln" | sudo tee -a /etc/hosts
02_WordPress_Brute_+_Brainfuck_Decode
wpscan enumerates two users — kira and L. The wp posts contain a brainfuck-encoded password block. Decode via dcode.fr — gives SSH password for L.
$ wpscan --url http://deathnote.vuln/wordpress/ -e u [+] kira (User ID: 1) [+] L (User ID: 2) # Brainfuck block found in wp post content +++++ +++++ [>+++++ ++>++++ +++++ ...] # Decoded via dcode.fr brainfuck decoder [REDACTED] — password for user L $ ssh L@192.168.1.21 L@deathnote:~$ id
03_WAV_Steganography_via_CyberChef
L's home dir has a folder of red herrings — a .wav file in /var/www/html/L hides the next password. Open in CyberChef: From Hex → From Base64. Two layers stacked.
# CyberChef recipe (in order): 1. From Hex 2. From Base64 # Output: kira : [REDACTED] $ su kira Password: [REDACTED] kira@deathnote:~$ sudo -l User kira may run the following commands as root: (ALL) NOPASSWD: ALL
04_PrivEsc_via_sudo_NOPASSWD
kira has full sudo NOPASSWD. sudo su drops directly into a root shell.
kira@deathnote:~$ sudo su root@deathnote:/home/kira# id uid=0(root) gid=0(root) # cat /root/root.txt [REDACTED]
05_Attack_Chain_Summary
- 01 nmap → SSH + HTTP → /etc/hosts: deathnote.vuln
- 02 wpscan → users L + kira → brainfuck block in wp posts
- 03 Decode brainfuck → SSH password for L → SSH access
- 04 WAV file in /var/www/html/L → CyberChef From Hex → From Base64
- 05 Decoded → kira password → su kira
- 06 sudo -l → kira NOPASSWD ALL → sudo su → root