[Vulnhub] analoguepond - Walkthrough Part 2

Hi guys.
In the last post, I've got the first flag-like file.

# cat flag1.txt.0xff

The .0xff indicates that this might be a hex format string, so encode it:

# cat flag1.txt.0xff | xxd -r -p

the result seems to be a base64 string because it has two '=' but I think we need to reverse and decrypt it:

# cat flag1.txt.0xff | xxd -r -p | rev | base64 --decode
https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...  

Here we go. Turns out that this is a hint to the next step rather than the flag.

So I watched the video couple of times and found nothing. (there is no sentence start with "the password is ..."

I have to now what was I looking for.

# pwd
# cat jim
Mr Potato Head! Backdoors are not a...  
# cat melvin
Boy you guys are dumb! I got this all figured out...  

jim and melvin are two characters in the video. So I assumed that those missing words or prases are what we need to find. From the video, I knew that the key to something are 'secret' and 'myself'.

Then, there another file, and I had to keep dig it until it ends. (man it was a pain)

# pwd
# ls -al
total 16  
drwxr-xr-x 2 root root 4096 Dec 21  2016 .  
drwxr-xr-x 3 root root 4096 Dec 18  2016 ..  
---x------ 1 root root    7 Dec 18  2016 my_world_you_are_persistent_try
-rw-r--r-- 1 root root 1420 Dec 21  2016 nleeson_key.gpg
# cat my_world_you_are_persistent_try

There I got another keyword 'joshua'.

I nc the .gpg file to kali, and decrypt it with gpg -d. It asked me for a passphrase. Tried secret, hit and got a private key file.

Now I was clear. Because previously I've noticed this:

sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ pwd  
sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ cat barringsbank-passwd | grep nleeson  
nleeson:x:1000:1000:Nicholas Leeson,,,:/home/nleeson:/bin/bash  
sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ cat barringsbank-hosts.allow  
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
# Only allow connections from puppet.

There is a username called nleeson, and I got its key, so do ssh.
Notice that the .3 only allow connection from .2 which is where I was.
Notice: need to chmod 600 nleeson_key before you ssh -i

sandieshaw@puppet:/tmp$ ssh -i /tmp/nleeson_key nleeson@  
Enter passphrase for key '/tmp/nleeson_key':  
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Aug  9 16:18:34 BST 2017

  System load:  0.31              Processes:           109
  Usage of /:   75.8% of 1.59GB   Users logged in:     0
  Memory usage: 11%               IP address for eth0:
  Swap usage:   0%

  Graph this data and manage this system at:

It asked me about the password even if I have the key. So I provided 'joshua', and passed it.

Good! I'm in! ( :D

Time to break. Let's call it part 2, I'll publish part 3 soon.

Thank you for your watching.