Peak Hill

2 minute read

nmap

Port Scanning and Enumeration (Nmap, FTP)

nmap -sV -sC -oN nmap/initial -T4 10.10.17.233

nmap

FTP and SSH. Looks like FTP has anonymous login. Let’s start with that.

nmap

Logging in with the user: anonymous and password: anonymous, we browse the system and see a couple files: .creds (hidden) and test.txt Grab them using the command: get


Pythonian Pickles served by the Cyber Chef

So we have this .creds file, catting it out we’re flooded with ‘1’s and ‘0’s. Binary? Bacon? Probably binary. Let’s check with Cyber Chef.

chef

Note: Download the output as a file, do not copy and paste it.

…ssh_pass …ssh_user

That sounds really interesting. Now is the time to click the link above ‘Python Pickle Module’. This is definitely a pickled object. Let’s write a script to handle this.

script

Script I wrote to handle unpickling and formatting the text so that it’s readable.

script

Output of the script


Little Pickle: Gherkin

So now that we’re on the box, let’s capture the user fl - -…?

script

or… maybe not

Okay, so that’s out. But we did notice a random file owned by root in our directory. We can’t execute it, but we can transfer it to our machine and decompile it using Uncompyle6

script

I see.. this creates a service on port 7321. Once connected, it asks for a username and password. If successful, it runs commands. Nice.

We see the username and password stored at the top. Let’s use the remote machine to grab those really quick.

creds

Alright, now we’ll try to connect to that service

dill

Now that we have command execution, what can we find?

looking

Ooooh. SSH directory

ssh

I spy a private ssh key

privatekey

Let’s copy that down, save it, and give it the right permissions

chmod 600 dill_id_rsa

ssh -i dill_id_rsa dill@10.10.17.233


Big Pickle: Dill

Now that we’re on Dill’s account, let’s finally capture that user flag!

userflag

Now let’s set our eyes on the biggest pickle of them all: root

The way this box is going, I’m not imagining any normal privesc vectors, but let’s try anyways.

sudo -l

sudo

Oh hey! We can run… whatever that is as root without requiring a password! Let’s see what it does!

firsterror

Well, what if we gave it some base64?

b64

thirderror

But.. pic - wait, you can’t grow pickles. You grow cucumbers.. WAIT! It probably takes a pickled object!

After browsing the internet for a while and learning all I can about the pickle module, I stumbled across this paper: Sour Pickles

Which lead me to this object, which I like to call..

PICKLES GONE BAD

badpickle

Pickles don’t usually have shells. But this one, this one has GONE BAD

badpickleb64

base64 encoding that bad, bad pickle

root

And just like that, we get root! Let’s capture the root fla - oh come on now.

trollflag

but it’s right there! Turns out, there’s like, a space or something in front of it. Oh well. CAT ALL THE THINGS

rootflag