Step through the looking glass. A sequel to the Wonderland challenge room.
Let’s do nmap first and see what do we get.
There are thousands port are open within range of 9000 to 14000
Since there are thousands of ports are open and all of these are ssh. Let's try manual first instead of doing the automation script. When we ssh to a port there is two outputs that we will get which Higher and Lower.
After some time we will know that this is mirrored. Which if the output is Lower that means you need to get a higher port. If the output is Higher that means you need to get a lower port. You can try to do it manually or you can use my script that I modified :)
First User (Jabberwock)
Alright! Now let’s try to ssh to that port.
So to decode it you can use the link at reference which to decode the Vigenere.
Enter the secret we found on that port and we get a credential. You use that and will get the first user!
Second User (tweedledum)
We got a poem, a script and of course user.txt. After a lot of enumeration, we found that there is a crontab running as user tweedledum.
Also luckily we can rewrite the twasBrillig.sh. And we take sudo -l, we also found out that we have permission to reboot as root.
It looks like a rabbit hole or not haha. But lets put our reverse shell and reboot!
Nice! We got our reverse shell and as the second user :)
Third User (tweedledee)
When we try sudo -l. We found that we can run bash as tweedledee. So let's change to tweedledee :)
Fourth User (humptydumpty)
Both tweedledee and tweedledum got the same humptydumpty.txt.
Let's try to crack it using the crack station
So only the last one we cannot crack? But with the result of password that we manage to crack give us a hint that one of these is the password. When we try one by one we cant enter to humptydumpty. After a lot of trying the last one is actually a hex :) You can try use cyberchef.
Alright, now we can su to this user :)
Fifth User (alice)
So we can read poetry.txt haha. Also if we take a look at home directory we found out that we can cd into alice but we can’t read anything. Isn’t it weird? So with curious thinking I try to ls -la /home/alice/.ssh/id_rsa and we found this!
So what can we do just ssh to alice.
ssh alice@localhost -i /home/alice/.ssh/id_rsa
In alice we found kitten.txt.
But this got me stuck for one day haha. Done linpeas and Linux Smart Enumeration but it's not showing anything good. The next day I try to manually enumerate with a sensitive file list that I have and found that in /etc/sudoers.d/ there is a file alice that we can read!
From what I know.
=> Means that we can sudo as alice with no password to run bash
Right now our host is looking-glass. But by looking at sudo we can specify the host.
So maybe we can do it like this >.<
sudo -h ssalg-gnikool bash
Rooted! A lot of new things that we learn and add more knowledge and improve our enumeration skills. James’s room really teaches a lot haha >.< Thank you for this room feels free to use my script to find the secret port!
If there is any suggestion please tell me or if there is something that I can improve also please do tell me. Hope this writeup help anyone and let’s learn together :)
You can support my writing and I would love to write more contents :) You can check out my "Buy me a Coffee"