Step 1 command = netdiscover -r 192.168.1.0/24
Use this to find all the ip/hosts near you. Here the ip of target machine is 192.168.1.43
Step 2 command = nmap 192.168.1.43
Use this command to check the open ports.
Use command = nmap -A -sV 192.168.1.43 for aggressive scan
Step 3 we see that shh, http and elite port is open. That means we can use ssh to login. There is a website running and elite 31337 means that there can be back doors here mainly back orifice. This port number means “elite” in hacker/cracker spelling (3=E, 1=L, 7=T).
So let’s first try to access the website. So browse 192.168.1.43 ip of target. But this website has nothing in particular, just a text following the white rabbit.
So let’s view the page source and see if there is something. There is one image which is there in source code but not visible in the webpage.
After clicking it we just come across a picture of rabbit…. Nothing special. However the name of picture is giving us some hint about port 31337. So let’s browse it to see what it is?
Again nothing here. So lets see the page source of the page. There is encoded data here which looks like base 64. So now let’s try to decode it
Step 4 command = echo “encode data” | base64 -d
Use this command to decode the message and print it. This looks like a command in bash, echo is for printing and “>” is for concatenate strings in files. So what the last command is doing is printing the message “Then you’ll see, that it is not the spoon that bends, it is only yourself.” in the file “Cypher.matrix”.
Now lets access the file Cypher.matrix in the browser with command = 192.168.1.43:31337/Cyper.matrix. But an error is shown and a file is downloaded.
However after opening it we come across some gibberish. But this is a coding technique named as brain fuck.
So let’s try to decode it using an online tool. After decode a message will appear that “You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forgot the last two characters so I have replaced them with XX. Try your luck and find the correct string of password.”
Step 5 in the decoded text last two characters are missing. So let’s generate a wordlist and try to brute force it using ssh service. Use command = md64 k1ll0r?a?a >> wordlist. You can use crunch tool also
Now use command = hydra -l guest -P wordlist ssh://192.168.1.43 to brute force. We will find that the password is k1ll0r7n and the guest is username.
Step 6 now uses command = ssh [email protected] to get access to the target remotely.
Now let’s find out which directory we are in ?
We see that other than pwd no other commands are working as we have restricted access. So let’s find out which shell are we in by using command= echo $SHELLS.We see that this shell is rbash i.e restricted bash
So let’s find out which all commands are available by double clicking the tab key.
These commands are available but are restricted. So let’s try to escape this shell. But before that lets find out the path of directory we are in by using command = $PATH and after that lets find out if there is something else there in directory by using command = echo /home/guest/program/*
Step 7 we see that there is a text editor “vi”. So we can use this editor to escape restricted bash. So open editor vi and try some commands.
After trying these combinations we see that the first 4 commands give us sh shell but we don’t need that. We need bash shell to proceed. We get bash shell by using the last command. Now we see that our ls command is working.
Step 8 now we have escaped the rbash but when we try to go to the root message is shown that permission denied.
So we have to export the /bin/bash to SHELL and we also have to export the directory from /usr/bin to $PATH. For this use the following commands.
We see that sudo su command is still not working. as we haven’t exported the “/bin” directory into the PATH environment. So lets export /bin directory into PATH environment using command = export PATH=/bin:$PATH
Step 8 now just do command = sudo su and fill the password k1ll0r7n and login. Now goto root directory and read the flag using command = cat flag.txt
If you don’t want to do all these steps you can use this command = ssh [email protected] -t “bash –noprofile”. This command will directly skip the restricted bash and log you in to shell.
Now just repeat step 8 and find the flag.
This CTF walkthrough created by Nishtha Kumari