[Vulnhub] analoguepond - Walkthrough Part 2

Hi guys.
In the last post, I've got the first flag-like file.

# cat flag1.txt.0xff
3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861  

The .0xff indicates that this might be a hex format string, so encode it:

# cat flag1.txt.0xff | xxd -r -p
==gLu4yZulGa0VWbvNHIy9GIlJXZoRHIkJ3b3N3chBHIhBCZulmZgQHanlWbgU3b5BCLulGIzVGd15WatByMyASbvJnZgMXZtF2ZyF2Vgg2Y0F2dgwyay92dgQ3JuNXZvRGIzlGa0BiZJByaU5EMpdzaKpkZH1jd/g2Y0F2dv02bj5SZiVHd19Weuc3d39yL6MHc0RHa

the result seems to be a base64 string because it has two '=' but I think we need to reverse and decrypt it:

# cat flag1.txt.0xff | xxd -r -p | rev | base64 --decode
https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...  

Here we go. Turns out that this is a hint to the next step rather than the flag.

So I watched the video couple of times and found nothing. (there is no sentence start with "the password is ..."

I have to now what was I looking for.

# pwd
/root/protovision
# cat jim
Mr Potato Head! Backdoors are not a...  
# cat melvin
Boy you guys are dumb! I got this all figured out...  

jim and melvin are two characters in the video. So I assumed that those missing words or prases are what we need to find. From the video, I knew that the key to something are 'secret' and 'myself'.

Then, there another file, and I had to keep dig it until it ends. (man it was a pain)

# pwd
/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z
# ls -al
total 16  
drwxr-xr-x 2 root root 4096 Dec 21  2016 .  
drwxr-xr-x 3 root root 4096 Dec 18  2016 ..  
---x------ 1 root root    7 Dec 18  2016 my_world_you_are_persistent_try
-rw-r--r-- 1 root root 1420 Dec 21  2016 nleeson_key.gpg
# cat my_world_you_are_persistent_try
joshua  

There I got another keyword 'joshua'.

I nc the .gpg file to kali, and decrypt it with gpg -d. It asked me for a passphrase. Tried secret, hit and got a private key file.

Now I was clear. Because previously I've noticed this:

sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ pwd  
/etc/puppet/modules/vulnhub/files
sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ cat barringsbank-passwd | grep nleeson  
nleeson:x:1000:1000:Nicholas Leeson,,,:/home/nleeson:/bin/bash  
sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ cat barringsbank-hosts.allow  
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# Only allow connections from puppet.
ALL: 192.168.122.2  

There is a username called nleeson, and I got its key, so do ssh.
Notice that the .3 only allow connection from .2 which is where I was.
Notice: need to chmod 600 nleeson_key before you ssh -i

sandieshaw@puppet:/tmp$ ssh -i /tmp/nleeson_key nleeson@192.168.122.3  
Enter passphrase for key '/tmp/nleeson_key':  
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Aug  9 16:18:34 BST 2017

  System load:  0.31              Processes:           109
  Usage of /:   75.8% of 1.59GB   Users logged in:     0
  Memory usage: 11%               IP address for eth0: 192.168.122.3
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

It asked me about the password even if I have the key. So I provided 'joshua', and passed it.

Good! I'm in! (192.168.122.3) :D

Time to break. Let's call it part 2, I'll publish part 3 soon.

Thank you for your watching.

Best!