THM - Willow
Introduction
What lies under the Willow Tree?
This one is Medium rated with no hints. Let’s begin.
Ports
nmap says we’ve got four ports: 22 (SSH), 80 (HTTP), 111 (RPCBind) and 2049 (NFS). So that’s interesting.
NFS
Let’s go check out the NFS share.
mkdir mountpoint
mount -t nfs 10.10.226.215:/ ./mountpoint/
In the mount we have a file; rsa_keys. In that, we get this:
Public Key Pair: (23, 37627)
Private Key Pair: (61527, 37627)
And that’s all we’ve got to go on. But, it’s a start.
Webserver
On the website, all we get is a big old bunch of numbers, i.e:
4865792057696c6c6f772c2068657265277320796f75722053534820507 snip
Actually if we look closely, the first bit is different - it’s hexadecimal. That decodes to:
Hey Willow, here’s your SSH Private key – you know where the decryption key is!.
So presumably the rest of it (and there is a lot) is the SSH key, encoded with RSA….
RSA
Edit: after I was done with this, I went and checked some other writeups. Turns out the whole thing was hex and I could’ve saved myself some messing about by just hex decoding the whole lot right away. But, I didn’t realise that at the time and ended up working a bit harder and dumber. Lol. Here’s what I did:
So we’ve got e, d and n for our RSA decryption, but the cipher won’t decode nicely just the way it is. There may be some simple way around this, but for me it was just looking at the data and trying to figure out what was going on. It helps knowing that an RSA private key begins with
—–BEGIN RSA PRIVATE KEY—–
and ends with
—–END RSA PRIVATE KEY—–
I tried encoding a few of these characters to find out what they were supposed to encode to, and that helped.
Eventually I figured out that we had a bunch of extra 3’s in there. In fact, just about every second character was a superfluous ‘3’. Stripping those out got us close, but not all the way there. We also had a bunch of extra zeros; usually every fifth character but not always. Sort of like a reversed evil FizzBuzz. In the end I wrote some python code to clean up the cipher:
Decode
Once I had the cleaned up ciper I dropped it into this website and got out an encoded SSH key. John can deal with that:
Willow
With this information and the chmodded key we can log in as Willow. The user flag is in a jpg, so we can’t easily view it through SSH. Hmmmm.
Fortunately, we can grab it with scp:
root@kali:/opt/tryhackme/willow# scp -i id_rsa_enc willow@10.10.21.220:/home/willow/user.jpg user.jpg
And then we can view the file and get the flag. Next, let’s see what Willow can do back on the box:
Privesc
Checking in /dev/, we can find an interesting directory. Let’s check it out:
Cool, let’s do su root and grab the flag!
Wait, what? Haha…what could that mean?
And that’s where the flag was!
What a cracking box, I enjoyed this one. Thanks MuirlandOracle.