There is not a lot of information about this box in the description, so let’s start with an Nmap scan of all ports and follow up with a version scan with scripts.
So we have ssh running on port 22, an Apache httpd web server running on port 80, open rpcbind on port 111 and open nfs_acl on port 2049.
Port 80 — Web Server
WOW, to many numbers. I am guessing at this time, that this is some sort of encoding. As this is not my strong point, I tend to paste this into CybreChief and start sequentially running through all the various encoding methods until something makes sense.
After some trial and error it appears that this is HEX encoded, decoding the text we see a message in the first line.
“Hey Willow, here’s your SSH Private key — you know where the decryption key is!”
So it follows that the rest of the encoding is probably the ssh private key.
As I am not sure what else to do, I fill move on the the nfs (Network File Server) file server on port 2049 and see what is there.
Port 2015 — Network File Server (NFS)
We can see there is a directory /var/failsafe on the nfs server, we can mount the share and view the contents of the directory:
We can see a file rsa_keys, let’s cat the file and see what it contains:
Public Key Pair: (23, 37627)
Private Key Pair: (61527, 37627)
OK, so this was a bit over my head, but I was intrigued and started some research on rsa_keys. Eventually I found a Blog by the author of the box which provided a great deal of information; however, a lot of the coding was a bit over my head at this stage.
At the bottom of the blog there was some code that seemed to make sense:
This seemed to tie in perfectly with the information found in the NFS file:
Public Key (e=23, n=37625)
Private Key (d=61527, n=37627)
I copied the HEX code after the, “Hey Willow, here’s your SSH Private key — you know where the decryption key is!” into an RSA Calculator I found online at the link below:
Adding these values together with the remainder of the encrypted text into the calculator we decode the RSA key.
I can now copy and paste the id_rsa key into vim and save on local machine.
Fist we need to chmod 600 id_rsa the file so that it is accepted by the ssh server.
Trying to log into the ssh server, it tells us we need the id_rsa passphrase for the key, looks like we will have to brute force the pass key
Using ssh2john.py we need to convert the id_rsa key to a format John can read in order to brute force the key.
./ssh2john.py id_rsa > willow_key
We can then use John to try and crack the id_rsa key:
john --wordlist=/usr/share/wordlists/rockyou.txt
We now have the passphrase for the id_rsa key, so we should be able to now log into the SSH.
ssh -i id_rsa willow@10.10.87.142
We can see a user.jpg, le’s download this using scp and we have our user flag.
Privesc
Let’s see what sudo privileges Willow has:
We can see that Willow can run /bin/mount /dev/* as sudo.
Lets first see what is in /dev/:
There is an interesting directory /hidden_backup. Let’s mount this, but first I will create a /dev/hidden_backup directory in Willows /Home directory/ and then mount the /dev/hidden_backup
sudo mount /dev/hidden_backup /home/willow/dev/hidden_backup/
We can now navigate to the /dev/hidden_backup in our /home directory.
It looks like we now have the ssh password for root,, let’s su as root and get the root.flag:
This took me quite a while to work this out; however, the user.jpg contained a hidden file. Stupidly I did not check this, as the user flag on the image focused my attention. Using Steghide I checked the image for hidden files using roots password.
And there it is, a hidden file called root.txt. We can extract this with Steghide.
Great box and hats off to the developer. Looking forward to other quality boxes from this guy, see link below:
