VM booting in VirtualBox should quickly present 2 ports: 80 and 31337. Let's try the first one:
Ok, let's follow... to the source. ;) To do that I used Developer Tools (available in Firefox - [F12]):
As you can see there is a little bunny in the traffic... I thought that the name of the image will be some kind of a hint to actually check that 2nd found port (31337), so (after quick nmap):
So I decided to simply connect to the ports with telnet and/or netcat:
So we found another HTTP port. Cool. When I was reading the source presented in response I found some string "similar to base64".
To 'decode' the string I used Burp Proxy:
...and decided that this dirb with rockyou.txt in the background window is pointless. ;]
In the meantime - maybe you remember, there was a case [1, 2] that maybe we can probably use this time to our 3rd open port - 22 (ssh) - so CVE-2018-15473. Before I tried some p0c's - in case that this is a Matrix CTF ;) - I decided to go first to the "movie's-webpage" and grab some usernames:
Preparing users ;]
Ok, so we need to trust Trinity. ;] We will get back to that later.
So - our echo command - I was wondering if there is an output file (from that echo "..."), checking:
An old friend... ;]
Anyway... I decided to find some cool online place where I can check what's behind this brainfuck code. That's how I found this page:
Ok, so far so good. We have a part of the password and we know some hint to guess it.
To crack it I used crunch:
First guess (only with digits) was not the best
... so I decided to add some letters :)
... ok. All letters. ;] Checking:
Ok, good. Verifying:
We're in. Next thing was to get some details about the target machine:
Ok, there is rbash (not bash) prepared as our default shell, "not so good"... but after a moment I realized that maybe there are some 'wrong permissions' in the target machine (like during few cases in other CTFs I had a pleasure to play).
First guess for tools like nmap or tar or scp... and we should be somewhere here:
Next, few hints from passwd file (which user(s) we should look for):
Next thing was:
- open file with vi ($ vim a)
- type: $ :!/bin/sh
Now we can add PATH ($ export PATH=/usr/bin, and so on...) to get a cool working shell.
Checking, what to do now:
Interestingly we can go via sudo -l directly to the root user (but that's "probably" not the case ;)). Checking:
So, checking the python file:
After a while I decided to:
- sudo to root again
- su to trinity ;)
- run strace against python
After few ctrl+c/d/z I found that we are here:
I decided to sudo to root again, then to trinity, then move ./python to ./oracle, and then try to run the binary ;) See below for the details: