Looking Glass

February 10, 2024

First we need to see the open ports in the machine

Once i tried connecting to the ssh ports i get this message

ssh -oHostKeyAlgorithms=+ssh-rsa -o "StrictHostKeyChecking=no" 10.10.7.125 -p 9001

Then i tried accessing the lowest port which is 13783

It says higher which is the opposite of lower

After several attempt on trying the numbers in between

I guessed the correct port and it returns this

ssh -oHostKeyAlgorithms=+ssh-rsa -o "StrictHostKeyChecking=no" 10.10.70.119 -p 11870

Then after looking up into the google this looks like a vigenere cipher

Thus, I will be using this decoder online to decipher. Here's the link

And i get the result

Caaxlpozvgh
'Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
All mimsy were the borogoves,
And the mome raths outgrabe.

'Beware the Jabberwock, my son!
The jaws that bite, the claws that catch!
Beware the Jubjub bird, and shun
The frumious Bandersnatch!'

He took his vorpal sword in hand:
Long time the manxome foe he sought--
So rested he by the Tumtum tree,
And stood awhile in thought.

And as in uffish thought he stood,
The Jabberwock, with eyes of flame,
Came whiffling through the tulgey wood,
And burbled as it came!

One, two! One, two! And through and through
The vorpal blade went snicker-snack!
He left it dead, and with its head
He went galumphing back.

'And hast thou slain the Jabberwock?
Come to my arms, my beamish boy!
O frabjous day! Callooh! Callay!'
He chortled in his joy.

'Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
All mimsy were the borogoves,
And the mome raths outgrabe.
Your secret is bewareTheJabberwock

The secret is bewareTheJabberwock

After i put the secret into the ssh

It returns this

jabberwock:UnpleasantEncourageFrenchUnfinished

Then after that we will run linpeas in the machine

We see some interesting file that is being run by tweedledum user

Then we will put a reverse shell to it so that we can get the tweedledum user

As we can see we can execute the reboot with sudo

After we reboot the machine we see that we got the reverse shell from user tweedledum

Then we cat the txt file in the home directory of that user

dcfff5eb40423f055a4cd0a8d7ed39ff6cb9816868f5766b4088b9e9906961b9
7692c3ad3540bb803c020b3aee66cd8887123234ea0c6e7143c0add73ff431ed
28391d3bc64ec15cbb090426b04aa6b7649c3cc85f11230bb0105e02d15e3624
b808e156d18d1cecdcc1456375f8cae994c36549a07c8c2315b473dd9d7f404f
fa51fd49abf67705d6a35d18218c115ff5633aec1f9ebfdc9d5d4956416f57f6
b9776d7ddf459c9ad5b0e1d6ac61e27befb5e99fd62446677600d7cacef544d0
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
7468652070617373776f7264206973207a797877767574737271706f6e6d6c6b

Then we actually go to online hash identifier which is this

We see that we get the decrypted SHA256 code here

maybe one of these is the password the password is zyxwvutsrqponmlk

As we can see the users in the /etc/passwd

We will assume that this password belongs to user humptydumpty

Looks like we can't run any sudo in the humptydumpty user

But as we can see we can execute some commands in the alice home directory

After some help from the internet I figured that we can cat the id_rsa of user alice

Then we will just use this key to connect to alice user

When we did linpeas in alice user we discover this

sudo -h ssalg-gnikool /bin/bash