1. nmap scan for the IP address. Then, we do a full scan for ports.
2. Looks like we have ssh and python using SimpleHTTPServer module servicing the server. I took a look at port 31337 using Firefox and Burp. It gives a page that is all black except wherever your mouse lands. I have to say the effects were very cool. Let’s look at the page source.
3. There seems to be something to look at.
<!-- key_is_h1dd3n.jpg -->
Let’s try to browse for it.
4. After having a little bit of nostalgia of watching Sneakers, I downloaded the jpeg. Maybe there is something there. I can check using the commands (strings, file, exif, steghide, etc).
5. Using steghide, I used “h1dd3n” as the passphrase. It did hint that it was the key. It gave a text file called h1dd3n.txt.
6. Well, I recognize those strings from previous CTF’s. Time to go to https://copy.sh/brainfuck
7. Well, we have what seems to be a username and password. We did see the service SSH on port 1337. Let’s try to use: ud64:1M!#64@ud
8. We have a login but… with a limited/restricted shell. There’s an app trick for that:
ssh email@example.com -p 1337 -t "bash --noprofile"
9. Welp, we are in and we can run commands.
10. Let’s do some digging and find out about this server. Run the usual commands (id, uname, ls, etc)
11. After looking around for a couple of minutes, thought to find out about sudo.
12. What the heck is that file.
13. Oh, so this is just strace command. Maybe it was just renamed. Anyway, I just kept playing with the command in order to get root or view root level files.
14. Looks like you can view the contexts of /root. There is a flag.txt file there. Let’s see if we can view it.
15. Well, I can view but I need to get root on this box. After searching for strace sudo, I came across this tid bit.
sudo /usr/bin/sysud64 -fe execve sudo -s