Here we’re going to go through another box called Willow created by the amazing MuirlandOracle. Knowing this is one of his creations and having done his boxes in the past we can expect some encryption challenges and constant bumps in the road haha lets get in to it.
L3ts G3t $h3ll
Initial nmap scans shows the following ports open.
22 for SSH
80 for HTTP
111 for RPC bind
2049 for network file share
So let take a look at HTTP and see whats going on there.
Seems to be for now a huge string of random numbers, lets dig a little further in the other ports and see if we can find something that might give us a clue to what this is. Lets take a look at the NFS (Network File Share).
showmount -e <ipaddress>
Looking at the network file share it seems someone is sharing their /var/failsafe * folder. So lets mount this and take a look.
Looks to be the something to do with RSA key pairs so maybe that gives us a clue to whats on the web page.
Lets see if we can work out what this is and decrypt it.
Putting this through CyberChef and using the SSH parser module we manage to decrypt this message and see a note about it being a SSH private key.
"Key type: Willow, here's your SSH Private key -- you know where the decryption key is!"
So I imagine where they’re saying “you know where the decryption” key is, it will be the things we found on the NFS to help us. Lets now use a RSA Calculator to work out and decrypt the encrypted message.
It should also be noted that MuirlandOracle has given his great explanation on RSA key generation and down at the bottom in the example scripts we can see that the E, N and D values are spat out. We have these values from the NFS.
Great lets see if can save this and use it now!
Of course its never that fucking easy! however we can use our good old friend JohnTheRipper to convert this key in to a hash value and see if we can crack it!
Cracking time, again with john and using the rockyou wordlist.
Great we have the password so now lets try to SSH to the box again and see if we get in!
Lets grab that user flag now we have our SSH shell on the box with Willow user.
RIGHT! of course theres always that extra step, right lets base64 this picture and transfer output to my box and decode it.
cat user.jpg | base64
Now take all that output from the above command and put it inside a file, I put it inside one I created called “user.b64” then cat’d and decoded that file and outputted it in to user.jpg.
cat user.b64 | base64 -d > user.jpg
Awesome we have our user flag!
L3t5 G3t r00t
Okay lets take a look around and see what we got to work with to get root.
Above we did the same procedure, but this time for getting the LinEnum script over to the box. Lets run LinEnum script now and sieve through the results.
Hmm okay lets make note that we can run /bin/mount command as root with no password, this might give us a hint to where we need to look.
If we look in the /dev file this is normally where devices or filesystems show up and then we would need to mount it to our directory tree somewhere.
So with that and knowing we can run mount command as sudo lets try and mount this partition on to /mnt/creds.
Now lets take a look inside the partion and see if we find anything useful
Amazing we have the root and Willow users passwords. lets switch users to the root and get that root flag.
Again another roadblock! well lets now try and work this out. We have the root password and the willow password but what does “I gave you the root flag some time ago” mean? hmmm…
That little sneaky bastard I bet has hid something in the user.jpg! okay lets see if we can extract it using steghide.
Thanks again MuirlandOracle for another interesting, and infuriating box haha hope you all learnt something from this box 🙂