This CTF is a follow up to the Wonderland CTF. I have a writeup for that one as well.
To start, let's begin with some enumeration using NMAP. You will notice thousands of open ports. To make this easier on myself I will use nmapAutomator. I have just started to use this tool and I really appreciate the time it saves me during enumeration.
Port 9000-14000 are all running a sshd service. We will attempt to connect to a few of these.
ssh <ip> -p <port>
If you receive the following error: "Unable to negotiate with 10.10.217.176 port 9000: no matching host key type found. Their offer: ssh-rsa" you can add the following lines to "/etc/ssh/ssh_config"
HostKeyAlgorithms = +ssh-rsa
PubkeyAcceptedAlgorithms = +ssh-rsa
After attempting to connect to the host through SSH on any port between 9000-14000 you will be met with the message "Lower" or "Higher". Based on the hint for this room calling a looking glass a mirror, most things are opposite like a mirror image of something. So, when you connect to the host on a port and it says "Lower", you actually need to go higher.
The hint for our first flag also mentions "O(log n)" which essentially refers to splitting a search in half in order to make it more efficient. So start at port 12000 and if it outputs "Lower", go to port 13000 or if it outputs "Higher", try port 11000. Repeat this process until you have found the correct port. This port changes every time the machine is restarted. If this machine takes your more than two hours to complete (like me), ensure that you extend the timer, or you will have to start the search all over again.
This immediately jumped out as some type of cipher to me. Copy and paste it's contents into my favorite cipher detection website. This website correctly detected a vigenere cipher and while we do not have a key, we can raise our max key length to 20 and select "Auto Solve (without key)."
Once the auto solve has completed we can use the decode the full poem.
Let's use our secret when attempting to connect to our identified SSH port.
A set of credentials have been revealed! This password is randomly generated each time, so there is no need to obfuscate it in any way.
These credentials will allow us to log into SSH on port 22 as the user jabberwock.
Once we've logged in via SSH as jabberwock, let's start by using "ls -la" to list all files and their permissions, as well as, "sudo -l" to see if we can execute commands as other users.
We've found the user flag in jabberwock's home directory. The flag is reversed. Simply use any online tool or command to reverse the text.
We also see that "user jabberwock may run the follow commands on looking-glass: (root) NO PASSWD: /sbin/reboot". You will see why this is useful in a moment.
There are two more files of note, poem.txt as well as, "twasBrillig.sh". the bash script is writable by us.
Let's perform some enumeration with linPEAs to paint a full picture. WGET is enabled on this machine. Let's host a simple python server on our attacking machine to serve up linPEAs to our victim machine, "python3 -m http.server 8080". Don't forget to give linPEAs permission to run on the victim machine with "chmod +x linpeas.sh". Let's execute linPEAs and examine the results.
Under the Cron Jobs section of the linPEAs output, we can see that upon reboot "twasBrillig.sh" will run.
With this information in mind, let's start a netcat listener in a separate terminal and re-write the contents of twasBrillig.sh with a bash reverse shell one liner.
I typically use https://www.revshells.com/ for this.
Now that we have a basic reverse shell as tweedledum, let's try to upgrade it to a fully interactive TTY shell. https://zweilosec.github.io/posts/upgrade-linux-shell/
Running "sudo -l" shows us that we can run the command "/bin/bash" as tweedledee.
Navigating to /home/tweedledee we find two files. We are interested in "humptydumpty.txt". Cat'ing it's contents reveals several hashes. Let's plug this into hashes.com.
There is a user "humptydumpty" let's try to logon via SSH using these credentials.
Once logged in as humptydumpty, take a look at /home's permission. We have write permissions to alice's directory.
After fumbling around for quite some time, I eventually found a RSA Private key for Alice. Download this to your attack machine and change it's permissions, "chmod +x 600". Then use the "-i" option to use this key to login as alice.
Earlier, while going through the linPEAs output I noticed the following:
Notice ssalg-gnikool is "looking-glass" reversed. This was not a privilege escalation technique I was aware of. "ssalg-gnikool" refers to a host. After reading through the sudo manual I found the "-h" option which allows us to specify a host.
From here it's as simple as grabbing the root flag from the "/root" directory.
You may also notice that the random passwords generated for the user jabberwock are created using the scripts located here. In a real world scenario, this would allow us to achieve persistence without creating any new files.
This room offered a couple of exploitation techniques that I had never used before and required some research on my part. I thoroughly enjoyed creating this writeup and hopefully it helps you.