Ok, super fun box.
It has a few very interesting distractors but they’re very educational.
1. Find TCP 22/80 open but 22 is almost never fruitful so we’ll ignore it.
2. Gobuster/feroxBuster/Dirbuster, whichever you use to discover some interesting directories: (But nothing useful)
Dirbuster
+ GET /admin/: Directory indexing found.
+ GET /img/: Directory indexing found.
+ GET /manual/images/: Directory indexing found.
+ GET /image/: Directory indexing found.
+ GET /admin/: This might be interesting.
+ GET /img/: This might be interesting.
3. Distractor 1: Dirbuster found a directory called /bulma that had a file called hahahaha.wav that contains morse code.
I can’t decode that stuff in my head yet so I used a Morse Code decoder: https://morsecode.world/international/decoder/audio-decoder-adaptive.html
Upload it and it shows you this: USUSER : TRUNKS PASSWORD : US3R(S IN DOLLARS SYMBOL)
Translation from script kiddie speak: user: trunks, password u$3r so, $ssh trunks@targetIP and use password u$3r to get a basic SSH shell. Good progress.
Cat the /home/trunks/local.txt to get flag 1.
Check the .bash_history file to find a password of Password@973 and user of Tom who doesn’t exist on the box.
BUT, Holy cow! Check the perms on /etc/passwd: 1311946 4.0K -rw-r–r– 1 trunks root 1.5K Jun 28 2020 /etc/passwd
See it? Owner is Trunks and Group is Root.
That means we can inject an account into that file and su to it, sooo:
echo “Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash” >> /etc/passwd
$su Tom with password we found in the .bash_history file of Password@973 to become root.
cd to /root/ for proof.txt for the 2nd flag to pwn the box.
4. Distractor 2:
Interesting but robots.txt says find_me, which is a dir that contains http://192.168.133.73/find_me/find_me.html
Open that you’ll see tags but scroll way down to line 276 and you’ll see base64 double encoding. Hmm. What’s in there?
It contains invalid base64 encoding so use this string to decode it:
cat b64.txt | sed ‘s///’ | base64 -d | base64 -d > qr-code.png
Now, I scanned the QR code with my phone, didn’t show anything useful so we’ll have to upload it to xzing to see what it is. (A QR Code decoder at zxing.org/w/decode)
We see a password of topshelv but it doesn’t work anywhere BUT, it’s interesting to know we have a site to decode QR codes for us AND that the base64 was double encoded to see if you aware you can un-base64 files multiple times to find things.
Anyway, that was fun!
I usually hate distractors but those two were fascinating.