Summary
This room is heavy in cryptography, time consuming and fun! Start with nmap. Finding smb open to anonymous access download journal. Using hexeditor change header to zip denotation and use stegpy to extract zip file from image. Open file with cracked password and read journal for clues. Find wordlists for later use. Use hydra to brute ssh and gain foothold. Manually enumerate and find shadow.bak is readable. Copy, crack hash and switch to user. Run Linux exploit suggester to find machine is vulnerable to sudo overflow, CVE-2019–28634 pwfeedback. Compile exploit locally. Upload and execute exploit to drop root shell and claim flag.
Action
Nmap results
Add cherryblossom.thm to /etc/hosts
SMB Enumeration
Download journal.txt and find it’s hex header marked incorrectly (bad zip offset is clue) as it is a jpg file not a text file.. or is it?
Using Hexeditor verify magic number. Has it been changed from zip to seem like a jpg? It has, since zip magic number is 50 4b 03 04. Change hex header and extract data from image using stegpy
https://en.wikipedia.org/wiki/List_of_file_signatures
Attempt to unzip and met with a password prompt. Use fcrackzip to obtain password.
Finally extract the file!
Ctz is a cherry tree encrypted file
Use 7z2john to create a “johnable” hash. Use john to crack.
In the journal ramblings the author mentions lxxx being his girlfriend. There are wordlists in the extracted cherrytree document. Remember lxxx, it might be a user.
Locate and turn in the journal flag.
Lets try to brute lxxx’s SSH creds with hydra
SSH as lxxx to machine
Output /etc/passwd
Manually enumerate and fine shadow.bak readable
Copy hashes from shadow.bak
joxxx:$6$zVxxxxxxxxxxT/aM2UMXqNnqsxxx7K/hHBG8DkyACiV6ykYmxsZG.vLALyf7kjsqxxxW391j1bue2/.SVm91uno5DUX7ob0:18301:0:99999:7:::
lxxx:$6$3GPkxxxxxxxxxxNWsBHgo6XxxxkI2JG6loUkZBIOtuOxjZpD71spVdgqM4CTXMFYVScHHTCDP0dG2rhDA8uC18/Vid3JCk0:18301:0:99999:7:::
root:$6$l81PoxxxxxxxxxxmYvxxxrO0gzuJCCXF9p08BQ8ALp5clk/E6RwSxxrw97h2Ix9O6cpVHnq1xxxxxxxCubATvANEv9Od9F1:18301:0:99999:7:::Start from the top and attempt to crack joxxx hash with hashcat
Switch to user and claim user flag
Check sudo permissions and notice password feed back.
Linux exploit suggester suggests CVE-2019–18634 pwfeedback.
Verify machine is vulnerable.
Segmentation fault! Check for compiler.
No compiler on client machine.
Download to attacking machine, compile and upload to client.
Run exploit and claim root flag.
Thanks for reading! :)
