Press "Enter" to skip to content

Vulnhub Analoguepond 1 Walkthrough: Part 3

Hi fellows,

I finally managed to solve the last part of this CTF challenge. If you have not read the first two parts, you can find them here (Part1, Part2). So let me now continue with the last part. As always, ***SPOILER ALERT***

We left the second part with root privileges on the puppet machine and the first flag in folder /root/protovision/.

In this folder we also found

# ls -al
total 24
drwxr-xr-x 3 root root 4096 Dec 21  2016 .
drwx------ 4 root root 4096 Jan  7 17:49 ..
-rw-r--r-- 1 root root  401 Dec 21  2016 flag1.txt.0xff
drwxr-xr-x 3 root root 4096 Dec 21  2016 .I_have_you_now
-rw-r--r-- 1 root root   39 Dec 17  2016 jim
-rw-r--r-- 1 root root   53 Dec 17  2016 melvin

Having a look at the flag, I only saw a stream of numbers and letters. However, the extension 0xff gave me the hint of a hexadecimal representation. Therefore, I converted the content of the flag into ascii which gave another stream of numbers and characters. This stream though looked pretty much like a base64 encoded string in reversed order.

# cat flag1.txt.0xff | xxd -r -p | rev | base64 --decode If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...

Another hint. Before having a look at this video, I checked the other two files jim and melvin. Both files contain a string with a missing word. I assumed that those missing words will be some kind of passwords or similar and probably could be found in the video.

# cat jim
Mr Potato Head! Backdoors are not a...
# cat melvin
Boy you guys are dumb! I got this all figured out...

And indeed, the video reveals the two answers. The first one is secret and the second one myself. Having that, I continued examining the folder .I_have_you_now. This folder contained a folder-chain containing folders of only one letter. Arriving at the end of this chain, there were some interesting files.

# pwd
# ls -al
total 16
drwxr-xr-x 2 root root 4096 Dec 21  2016 .
drwxr-xr-x 3 root root 4096 Dec 18  2016 ..
---x------ 1 root root    7 Dec 18  2016 my_world_you_are_persistent_try
-rw-r--r-- 1 root root 1420 Dec 21  2016 nleeson_key.gpg

The first one only contains the word joshua. The second one seems to be a key that is encrypted with gpg. I copied the key on my local Kali machine, because somehow the decryption did not work on the box. In order to decrypt the key, I assumed that the password would be something we just learned. Indeed, the password was secret. And cool, the decrypted key is a ssh-key probably to the third machine. So I tried to log into this third machine with the key and username nleeson. Unfortunately, the key is again protected with a password. I tried the other words we have learned and surprisingly, joshua worked.

ssh nleeson@ -i nleeson_key
Enter passphrase for key 'nleeson_key': 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)

 * Documentation:

  System information as of Sun Jul  2 17:40:06 BST 2017

  System load:  0.63              Processes:           112
  Usage of /:   69.8% of 1.59GB   Users logged in:     0
  Memory usage: 11%               IP address for eth0:
  Swap usage:   0%

  Graph this data and manage this system at:

nleeson@barringsbank:~$ ls

The home folder of nleeson only contains the image which we have already seen on eric’s machine. I examined the machine as always, but I could not find anything special here. Then it came in my mind that this machine is also managed by the puppet server, so I thought I might copy the modified spin binary onto this machine too. So I changed the config file on the puppet machine accordingly as we already have seen in the second part. After executing the spin binary I again had root access to nleeson’s machine. (Notice, that with the same approach, one could have also placed a new ssh key on nleeson’s machine and wouldn’t have to decrypt the key)

nleeson@barringsbank:/tmp$ ./spin 
# whoami
# cd /root
# ls

To be honest, I assumed that I would find the second and last flag in this folder. However, I only found another image. At this point I was stuck for a longer time. After a while, I started examining all the images. I compared the two reticulatingsplines.gif but they were exactly the same, I checked exif data of all the images, but nothing. Finally, I checked the images for hidden files and found that me.jpeg indeed contained another file.

root@kali:~/# steghide --info me.jpeg 
  format: jpeg
  capacity: 11.9 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "primate_egyptian_flag.txt":
    size: 3.7 KB
    encrypted: rijndael-128, cbc
    compressed: yes
root@kali:~/# steghide extract -sf me.jpeg 
Enter passphrase: 
wrote extracted data to "primate_egyptian_flag.txt".

The password to extract the file was reticulatingsplines. This new file again contained a bunch of lines with numbers and letters which again reminded me of hexadecimal. Decoding it, resulted in another string that again looks similar to a base64 encoded string. However, there seemed to be something off. The string ‘gACI’ was all over the place. It was also not possible to decode it further. I then simply tried to remove all those ‘gACI’s which resulted in a string that looks even more like a base64 encoded one. Unfortunately, I still was not able to decode it. I remembered that the equal sign was usually at the end of a base64 encoded string so I tried to reverse every single line. After removing all the new lines, it finally worked!

root@kali:~# cat primate_egyptian_flag.txt | xxd -r -p | sed 's/gACI//g' | rev | tr -d '\n' | base64 --decode

Here's a fender bass for you...

    ,-.  _.---._
  |  `\.__.-'' `.
\  _  _  ,.   \
  ,+++=._________________)_||______|_|_|| |
 (||======|=|=|| |
 ~~'  |  ~'   `~' o o  /
 \   /~`\  o o  /
  `~' `-.____.-' 

Congratulations to you once again and for the sixth time on capturing this

I've tried to mix things up a bit here, to move away from throw metasploit
and web exploits at things. I hope you have enjoyed that portion and your
feedback on this aspect would be appreciated.

Of note, these VMs are set to do automatic security updates using puppet,
so this ought to keep things dynamic enough for people.

Many thanks to mrB3n, Rand0mByteZ and kevinnz for testing this CTF.

A special thank you to g0tmi1k for hosting all these challenges and the
valuable advice. A tip of the hat to mrb3n for his recent assistance. Hit
me on IRC or twitter if you are looking for a hint or have completed the

Go on, Complete the circle: 06:30 to 07:45 of episode #1 of Our Friends In
The North (C) BBC 1995.. What's the connection....?

Finally, the last flag is found and the box solved! As always, if you have any hints or recommendations, do not hesitate to contact me either directly or by leaving a comment. Also, let me know if you like this style of walkthrough or if I need to change something.


Comments are closed.