CTF-Writeups/HackMyVM/Twisted.md
2021-01-12 11:06:28 +05:00

2.5 KiB

HackMyVM-Twisted

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-12 09:38 PKT
Nmap scan report for 192.168.1.66
Host is up (0.00018s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 67:63:a0:c9:8b:7a:f3:42:ac:49:ab:a6:a7:3f:fc:ee (RSA)
|   256 8c:ce:87:47:f8:b8:1a:1a:78:e5:b7:ce:74:d7:f5:db (ECDSA)
|_  256 92:94:66:0b:92:d3:cf:7e:ff:e8:bf:3c:7b:41:b7:5a (ED25519)
MAC Address: 08:00:27:72:46:36 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds

PORT 80

On the web page we see two images and one hinting being different so this means there is some stegnography invloved

I ranstegcracker on both the images and found two messages

In markus directory we see a note which tells about bonita's ssh private key.

Going to web directory we find a gogo.wav file so let's download it to our machine and analyze it !

I uploaded this file as it was a morse code so analyzed it through online morese code analyzer and it was a rabbithole

So only option left for me was to run linpeas.

I found that there was a capaiblity set on tail which is like a SUID.So id_rsa that we found for bonita we cannot read it but we can read it through tail command. Tail will print the last ten lines of a file so we need to specify to print last 30 or 40 lines so we can get the whole id_rsa key

There is a SUID binary but when running it says WRONG CODE so let's transfer it to our machine and analyze the binary

So using ghidra I saw that it is comparing variable with a hex value 0x16f8

Convert the hex value to decimal value