[Vulnhub] analoguepond - Walkthrough Part 2
Hi guys.
In the last post, I've got the first flag-like file.
# cat flag1.txt.0xff
3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861
The .0xff indicates that this might be a hex format string, so encode it:
# cat flag1.txt.0xff | xxd -r -p
==gLu4yZulGa0VWbvNHIy9GIlJXZoRHIkJ3b3N3chBHIhBCZulmZgQHanlWbgU3b5BCLulGIzVGd15WatByMyASbvJnZgMXZtF2ZyF2Vgg2Y0F2dgwyay92dgQ3JuNXZvRGIzlGa0BiZJByaU5EMpdzaKpkZH1jd/g2Y0F2dv02bj5SZiVHd19Weuc3d39yL6MHc0RHa
the result seems to be a base64 string because it has two '=' but I think we need to reverse and decrypt it:
# cat flag1.txt.0xff | xxd -r -p | rev | base64 --decode
https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...
Here we go. Turns out that this is a hint to the next step rather than the flag.
So I watched the video a couple of times and found nothing. (there is no sentence starts with "the password is ..."
I have to know what was I looking for.
# pwd
/root/protovision
# cat jim
Mr Potato Head! Backdoors are not a...
# cat melvin
Boy you guys are dumb! I got this all figured out...
jim and melvin are two characters in the video. So I assumed that those missing words or prases are what we need to find. From the video, I knew that the key to something are 'secret' and 'myself'.
Then, there another file, and I had to keep dig it until it ends. (man it was a pain)
# pwd
/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z
# ls -al
total 16
drwxr-xr-x 2 root root 4096 Dec 21 2016 .
drwxr-xr-x 3 root root 4096 Dec 18 2016 ..
---x------ 1 root root 7 Dec 18 2016 my_world_you_are_persistent_try
-rw-r--r-- 1 root root 1420 Dec 21 2016 nleeson_key.gpg
# cat my_world_you_are_persistent_try
joshua
There I got another keyword 'joshua'.
I nc the .gpg file to kali, and decrypt it with gpg -d. It asked me for a passphrase. Tried secret, hit and got a private key file.
Now I was clear. Because previously I've noticed this:
sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ pwd
/etc/puppet/modules/vulnhub/files
sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ cat barringsbank-passwd | grep nleeson
nleeson:x:1000:1000:Nicholas Leeson,,,:/home/nleeson:/bin/bash
sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ cat barringsbank-hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# Only allow connections from puppet.
ALL: 192.168.122.2
There is a username called nleeson, and I got its key, so do ssh.
Notice that the .3 only allow connection from .2 which is where I was.
Notice: need to chmod 600 nleeson_key before you ssh -i
sandieshaw@puppet:/tmp$ ssh -i /tmp/nleeson_key nleeson@192.168.122.3
Enter passphrase for key '/tmp/nleeson_key':
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Wed Aug 9 16:18:34 BST 2017
System load: 0.31 Processes: 109
Usage of /: 75.8% of 1.59GB Users logged in: 0
Memory usage: 11% IP address for eth0: 192.168.122.3
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
It asked me about the password even if I have the key. So I provided 'joshua', and passed it.
Good! I'm in! (192.168.122.3) :D
Time to break. Let's call it part 2, I'll publish part 3 soon.
Thank you for your watching.
Best!
