THM - Willow
What lies under the Willow Tree?
This one is Medium rated with no hints. Let’s begin.
nmap says we’ve got four ports: 22 (SSH), 80 (HTTP), 111 (RPCBind) and 2049 (NFS). So that’s interesting.
Let’s go check out the NFS share.
mount -t nfs 10.10.226.215:/ ./mountpoint/
In the mount we have a file; rsa_keys. In that, we get this:
Public Key Pair: (23, 37627)
Private Key Pair: (61527, 37627)
And that’s all we’ve got to go on. But, it’s a start.
On the website, all we get is a big old bunch of numbers, i.e:
Actually if we look closely, the first bit is different - it’s hexadecimal. That decodes to:
Hey Willow, here’s your SSH Private key – you know where the decryption key is!.
So presumably the rest of it (and there is a lot) is the SSH key, encoded with RSA….
Edit: after I was done with this, I went and checked some other writeups. Turns out the whole thing was hex and I could’ve saved myself some messing about by just hex decoding the whole lot right away. But, I didn’t realise that at the time and ended up working a bit harder and dumber. Lol. Here’s what I did:
So we’ve got e, d and n for our RSA decryption, but the cipher won’t decode nicely just the way it is. There may be some simple way around this, but for me it was just looking at the data and trying to figure out what was going on. It helps knowing that an RSA private key begins with
—–BEGIN RSA PRIVATE KEY—–
and ends with
—–END RSA PRIVATE KEY—–
I tried encoding a few of these characters to find out what they were supposed to encode to, and that helped.
Eventually I figured out that we had a bunch of extra 3’s in there. In fact, just about every second character was a superfluous ‘3’. Stripping those out got us close, but not all the way there. We also had a bunch of extra zeros; usually every fifth character but not always. Sort of like a reversed evil FizzBuzz. In the end I wrote some python code to clean up the cipher:
Once I had the cleaned up ciper I dropped it into this website and got out an encoded SSH key. John can deal with that:
With this information and the chmodded key we can log in as Willow. The user flag is in a jpg, so we can’t easily view it through SSH. Hmmmm.
Fortunately, we can grab it with scp:
root@kali:/opt/tryhackme/willow# scp -i id_rsa_enc firstname.lastname@example.org:/home/willow/user.jpg user.jpg
And then we can view the file and get the flag. Next, let’s see what Willow can do back on the box:
Checking in /dev/, we can find an interesting directory. Let’s check it out:
Cool, let’s do su root and grab the flag!
Wait, what? Haha…what could that mean?
And that’s where the flag was!
What a cracking box, I enjoyed this one. Thanks MuirlandOracle.