I finally managed to solve the last part of this CTF challenge. If you have not read the first two parts, you can find them here (Part1, Part2). So let me now continue with the last part. As always, ***SPOILER ALERT***
We left the second part with root privileges on the puppet machine and the first flag in folder
In this folder we also found
# ls -al total 24 drwxr-xr-x 3 root root 4096 Dec 21 2016 . drwx------ 4 root root 4096 Jan 7 17:49 .. -rw-r--r-- 1 root root 401 Dec 21 2016 flag1.txt.0xff drwxr-xr-x 3 root root 4096 Dec 21 2016 .I_have_you_now -rw-r--r-- 1 root root 39 Dec 17 2016 jim -rw-r--r-- 1 root root 53 Dec 17 2016 melvin
Having a look at the flag, I only saw a stream of numbers and letters. However, the extension 0xff gave me the hint of a hexadecimal representation. Therefore, I converted the content of the flag into ascii which gave another stream of numbers and characters. This stream though looked pretty much like a base64 encoded string in reversed order.
# cat flag1.txt.0xff | xxd -r -p | rev | base64 --decode https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...
Another hint. Before having a look at this video, I checked the other two files
melvin. Both files contain a string with a missing word. I assumed that those missing words will be some kind of passwords or similar and probably could be found in the video.
# cat jim Mr Potato Head! Backdoors are not a... # cat melvin Boy you guys are dumb! I got this all figured out...
And indeed, the video reveals the two answers. The first one is secret and the second one myself. Having that, I continued examining the folder
.I_have_you_now. This folder contained a folder-chain containing folders of only one letter. Arriving at the end of this chain, there were some interesting files.
# pwd /root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z # ls -al total 16 drwxr-xr-x 2 root root 4096 Dec 21 2016 . drwxr-xr-x 3 root root 4096 Dec 18 2016 .. ---x------ 1 root root 7 Dec 18 2016 my_world_you_are_persistent_try -rw-r--r-- 1 root root 1420 Dec 21 2016 nleeson_key.gpg
The first one only contains the word
joshua. The second one seems to be a key that is encrypted with
gpg. I copied the key on my local Kali machine, because somehow the decryption did not work on the box. In order to decrypt the key, I assumed that the password would be something we just learned. Indeed, the password was
secret. And cool, the decrypted key is a ssh-key probably to the third machine. So I tried to log into this third machine with the key and username
nleeson. Unfortunately, the key is again protected with a password. I tried the other words we have learned and surprisingly,
ssh firstname.lastname@example.org -i nleeson_key Enter passphrase for key 'nleeson_key': Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Sun Jul 2 17:40:06 BST 2017 System load: 0.63 Processes: 112 Usage of /: 69.8% of 1.59GB Users logged in: 0 Memory usage: 11% IP address for eth0: 192.168.122.3 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/ nleeson@barringsbank:~$ ls reticulatingsplines.gif nleeson@barringsbank:~$
The home folder of nleeson only contains the image which we have already seen on eric’s machine. I examined the machine as always, but I could not find anything special here. Then it came in my mind that this machine is also managed by the puppet server, so I thought I might copy the modified
spin binary onto this machine too. So I changed the config file on the puppet machine accordingly as we already have seen in the second part. After executing the spin binary I again had root access to nleeson’s machine. (Notice, that with the same approach, one could have also placed a new ssh key on nleeson’s machine and wouldn’t have to decrypt the key)
nleeson@barringsbank:/tmp$ ./spin # whoami root # cd /root # ls me.jpeg
To be honest, I assumed that I would find the second and last flag in this folder. However, I only found another image. At this point I was stuck for a longer time. After a while, I started examining all the images. I compared the two
reticulatingsplines.gif but they were exactly the same, I checked exif data of all the images, but nothing. Finally, I checked the images for hidden files and found that
me.jpeg indeed contained another file.
root@kali:~/# steghide --info me.jpeg "me.jpeg": format: jpeg capacity: 11.9 KB Try to get information about embedded data ? (y/n) y Enter passphrase: embedded file "primate_egyptian_flag.txt": size: 3.7 KB encrypted: rijndael-128, cbc compressed: yes root@kali:~/# steghide extract -sf me.jpeg Enter passphrase: wrote extracted data to "primate_egyptian_flag.txt". root@kali:~/#
The password to extract the file was
reticulatingsplines. This new file again contained a bunch of lines with numbers and letters which again reminded me of hexadecimal. Decoding it, resulted in another string that again looks similar to a base64 encoded string. However, there seemed to be something off. The string ‘gACI’ was all over the place. It was also not possible to decode it further. I then simply tried to remove all those ‘gACI’s which resulted in a string that looks even more like a base64 encoded one. Unfortunately, I still was not able to decode it. I remembered that the equal sign was usually at the end of a base64 encoded string so I tried to reverse every single line. After removing all the new lines, it finally worked!
root@kali:~# cat primate_egyptian_flag.txt | xxd -r -p | sed 's/gACI//g' | rev | tr -d '\n' | base64 --decode Here's a fender bass for you... ,-. _.---._ | `\.__.-'' `. \ _ _ ,. \ ,+++=._________________)_||______|_|_|| | (_.ooo.===================||======|=|=|| | ~~' | ~' `~' o o / \ /~`\ o o / `~' `-.____.-' Congratulations to you once again and for the sixth time on capturing this flag! I've tried to mix things up a bit here, to move away from throw metasploit and web exploits at things. I hope you have enjoyed that portion and your feedback on this aspect would be appreciated. Of note, these VMs are set to do automatic security updates using puppet, so this ought to keep things dynamic enough for people. Many thanks to mrB3n, Rand0mByteZ and kevinnz for testing this CTF. A special thank you to g0tmi1k for hosting all these challenges and the valuable advice. A tip of the hat to mrb3n for his recent assistance. Hit me on IRC or twitter if you are looking for a hint or have completed the challenge. Go on, Complete the circle: 06:30 to 07:45 of episode #1 of Our Friends In The North (C) BBC 1995.. What's the connection....? --Knightmare root@kali:~#
Finally, the last flag is found and the box solved! As always, if you have any hints or recommendations, do not hesitate to contact me either directly or by leaving a comment. Also, let me know if you like this style of walkthrough or if I need to change something.