mADNESS

Please note this challenge does not require SSH brute forcing.
Use your skills to access the user and root account!

Enum

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-28 05:52 PDT
Nmap scan report for 10.10.74.217
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 316212daabd7a9dd08220a7dabf2ecc1 (RSA)
| 256 2dc5fa0a71a1fb32afbb6ba3f53ab8a4 (ECDSA)
|_ 256 238e09f31d5f70ec8e54286bcc8d3239 (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Ubuntu))
|_http-title: CyberHeros : Index
|_http-server-header: Apache/2.4.48 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 24.25 seconds

While Nmap was running I went to the webpage, and it looked like a standard Apache fresh install. So I inspected the page not expecting to find anything but I did find a comment and Said They will never find me. Right below an image link. thm.jpg.


So I curled the image to play around with it. It did not open I thought maybe it had the file extension changed on it. So I changed it to png. Still no luck. I remembered a room called magic numbers, where the header of the file can be changed to make it look like it is a different type fo file. I opened it up in hexeditor and changed it to jpg.

That was it! I was able to open the image and found this.

When I went to the page I was greeted with a message that said
“Welcome! I have been expecting you!”

“To obtain my identity you need to guess my secret!”

“Secret Enter:”

“That is wrong! Get outta here!”

So I viewed the source code and there was a comment again that read:

” It’s between 0-99 but I don’t think anyone will look here”

This ended up taking me some time to figure out.

I won;t share with you all the things that I tried. I ended up trying ?secret=1 at the end of the URL. Which loaded up the page with Secret Entered: 1

So I was on the right track I made a quick wordlist 0-99 and tossed it into Burp

There it is was 73 had different Length So I viewed the webpage with the secret 73 at the end at got this message

So it had to be a username or a password. I tried a bunch of classic ciphers thinking made that was the user name. No luck. So then I thought it has to be a password. But a password for what? With no username, it can’t be for ssh. Then my mind went back to the only thing we had, which was the image Stego!! So I tossed the password into a file and ran stegoseek. Sure enough, it worked!

Now I knew this was a rot from the hint that was given in the room. Yes, I used the hint many times hoping it would give me a different one. So I tossed wbxre into cyber chef and sure enough, I got the name joker. Which at this point seems about right. So I tried to ssh in with the user name joker and the password from before. Failed!! Of course, I did, no way it would be that simple. Now at this point, I was stuck for a few days. I ran gobuster on the website hoping to find something maybe another image. Then I remember reading on the forums or discord or somewhere. Someone said think out of the box. Which looking back at the clue was perfect!! Because there is another image and everyone doing this box has seen it. But it is not in Container.

Yeah, a few choice words came out of my mouth too, and then a smile.

I ran stegoseek with the rockyou list and got this.

We have a SSH password and a username!!!!!

I logged in as [email protected] and the password above. Finally, I have a user I grabbed the flag.

Getting root might have been the easiest part of the room for me. I skipped the normal things I do, Sudo -l looking for SUID’s etc. I just ran python web server on my machine and went to tmp on the remote machine and tossed linpeas on the remote machine. I was done messing with this box.
I don’t know why but I always smile when I see this.

Going through linpeas I spotted something that stood out with SUID’s

I checked a few against GTFObins but came up short.  But something seemed off about screen-4.5.0.  I don’t think I have seen it before or seen Linpeas say unknown SUID binary before.  A quick google and would you believe the luck it was the first result.  

Went to exploit DB copied the code and save it in a file and ran my python server again and upload and chmod +x on the file and ran it.

Game over. I was root. As I said getting root was the easy part. This box has a good name it was a pain. But nothing really was hard about it. You just had to think differently. The puzzles were not hard. But finding the puzzle was a challenge. I hated this box while doing it. But also I love the box while doing it. You just have to think outside the box.