Discovery
First, we need to recognize the IP that the machine is using, I use arp-scan for the job but you can use netdiscover or nmap to do the trick, with arp-scan is like this:
arp-scan -l
This puts out a list of all the machines in the network that a re sending ARP packets, the output looks like this:
The IP of the machine identified
With that, we can proceed to do some footprinting using our trusted nmap, the command used in this case was:
nmap command to do information gathering on the server.
The output for this command is equal to:
Okay, we get that 3 ports are open, port 22 for SSH and ports 80 and 31337 for HTTP.
Accessing to port 80 doesn’t bring too much:
Except for the message that says follow the White Rabbit, thing is, if you look the page source in this site, you’ll find a clue for what to do next:
As you can see in the last picture, img will give you a hint to follow the port 31337.
Accessing port 31337 gives us this page:
And if you check out the page source, you’ll get the first big finding:
Getting access
The string founded in the page source is:
ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=
And it’s encoded in Base64, passing it through a decoder gives you this:
echo “Then you’ll see, that it is not the spoon that bends, it is only yourself. “ > Cypher.matrix
This looks like a command in bash, echo is for printing and “>” is for concatenate strings in files. So what the last command is doing is printing the message “Then you’ll see, that it is not the spoon that bends, it is only yourself.” in the file “Cypher.matrix”.
Why don’t we try to access this file?
When you go the URL:
http://192.168.201.124:31337/Cypher.matrix
It automatically downloads a file which contains the next cypher:
You’re probably thinking “WTF”, don’t worry. I was thinking the same thing.
After some Google Fu, I found that this is code for Brainfuck, a programming language that just exists for, you guessed it, messing up your brain.
When you compile it, it prints out this:
You see, here’s telling me that there is a user called guest and that the password starts with k1ll0r, and ends with two other characters, guess it’s time to create our dictionary for brute forcing SSH. Luckily for us, there’s a tool that can do the trick and it’s called mp64:
This command creates a wordlist using the word “k1ll0r” and generating all possibles combination for the last two characters using the ?a option.
After the wordlist is created I proceeded to brute force the SSH service using hydra:
And after a couple of minutes we find the password:
Which is k1ll0r7n.
Now, let’s access the server through SSH using the recently obtained credentials.
Privilege escalation
Once here, if you try to do anything, you’ll find you don’t have access to use any command :
This is because you’re using a restricted shell, this is commonly use for restricting the users to certain actions, in this case, I’ll need to find a way to break the shell jail. Using the export command gives us a better idea of what we can do inside the machine:
It shows that our PATH is “/home/guest/prog” and the SHELL is “/bin/rbash” which is for restricted bash.
If we look into the path direction we have for the user, we’ll find there is only one program we can access which is vi:
This is perfect as we can escape a restricted shell using vi, here is a better explanation about that. Lucky for us typing :!/bin/bash was good enough to escape the restricted shell:
Opening vi as guest
Breaking out of restricted bash through vi
And we are free:
Let’s see if we can export a new path for bash with:
export PATH=/usr/bin:/bin/
And we are able to do it:
Now with that we are able to use most of the commands in linux.
After messing and enumerating a while inside of the server, I found out that the user has permissions to execute every command available:
That means that we can change to root user using the command sudo su:
With that, we just need to read the flag: