This is a short guide for Looking Glass machine.
Get the IP address of the machine and perform the nmap scan.
Multiple ports are opened showing service Dropbear sshd (protocol 2.0)
Lets ssh into one of them
When connecting through ssh on port 10000, it shows higher. Lets try with smaller port number
Trying port 9200 shows that it is lower. so the correct port is between port 9200 to 10000. Time to bruteforce.
Using port 9367 we are in. Now it asks for secret. Looking at the above jumbled words lets try to decrypt the cipher.
Jabberwocky is poem by Lewis Carroll.
After some googling and stuff found that it was Vigenere cipher.
As vigenere cipher requires a key to decrypt, using online tool which bruteforce the key found that the key was “thealphabetcipher”.
Now using the key, lets decrypt the cipher
At the end of the poem there is a secret. Using the secret we are now provided with username and password.
Now login through ssh with the provided username and password.
ls into the home folder and we can see user.txt file.
The flag in user.txt is mirrored. So unmirror it to get the flag.
Then there is twasBrilling.sh file which contains some code to write message to all users.
Looking into sudo -l command output we can see that the user can reboot the system.
There is a cron job where user tweedledum runs the bash script on reboot. We can leverage this and gain a reverse shell as user tweedledum as we can edit the twasBrillig.sh script.
Edit the script and insert the reverse shell
On the local machine start a netcat listener on the specified port. Then reboot the system. When the system reboots, the script is run by user tweedledum and we get a shell as user tweedledum.
Looking on the files on home folder we see a file name humptydumpty.txt which contains encrypted message.
The message is encrypted using sha256, lets decrypt it.
Using this password we can how login as humptydumpty
Looking into the home folder there is only a poetry.txt file which contains some texts. As we can cd into alice home directory but cannot list the directory and we have executable permission on alice directory lets see what we can do in alice directory.
lets see if we can find the id_rsa file so that we can download it and ssh as user alice using the id_rsa file.
As we can read the content of id_rsa file, lets download into the local machine and ssh as user alice.
Remember to change the permission of id_rsa file to 600.
As we cannot sudo anything because we do not have the alice password, lets use linpeas.sh to see if we can find something there.
As we can see that we can run /bin/bash as root with host ssalg-gnikool. Lets do it.
We have successfully got root access on the machine now.
Time to obtain the flag which is in /root directory.
Flag in root.txt file is also mirrored so unmirror it to obtain the flag.
Thank you for reading.
Twitter: Vengenace0x0
