Junior Hacking Talent - Quay Ngược Thời Gian Writeup

We’ll start off by dumping all the strings contained in the memory dump with strings

❯ strings mem.mem > memstr.txt

As the CTF hinted that there was SSH connection established with the use of a private key, we can look for those with grep and the fact that these keys usually starts with BEGIN OPENSSH PRIVATE KEY.

❯ grep "OPENSSH PRIVATE KEY" memstr.txt -A 40

Looking at the result, there are plenty of matches for the start of the keys but most of them are missing the end which is END OPENSSH PRIVATE KEY. The ones which contains both of these are complete and seems to be repetition of the same key. We’ll be saving it into a file named id_rsa.

Also, make sure that the key has proper permission for it to work

❯ chmod 600 id_rsa

Next up is searching for the ssh command inside the memory dump to use this key with

❯ grep "ssh " memstr.txt
ssh -C -l %u %h exec /usr/sbin/imapd
 possible to restrict the ssh key to "borg serve" using the
[00m$ ssh trung1423
ssh trung1423
ssh trung149@ -p 18888
[00m$ ssh trung1423
ssh trung1423
vm@ubuntu:~$ ssh trung149@ -p 18888
ssh in a
ssh -C -l %u %h exec /usr/sbin/imapd

We now have both the key and the ssh user, IP and port to establish the SSH connection.

❯ ssh trung149@ -p 18888 -i id_rsa
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Tue Sep  7 16:51:46 2021 from x.x.x.x
|This is your prize                                |
Connection to closed.