Junior Hacking Talent - Quay Ngược Thời Gian Writeup
We’ll start off by dumping all the strings contained in the memory dump with
strings
❯ strings mem.mem > memstr.txt
As the CTF hinted that there was SSH connection established with the use of a
private key, we can look for those with grep and the fact that these keys
usually starts with BEGIN OPENSSH PRIVATE KEY.
❯ grep "OPENSSH PRIVATE KEY" memstr.txt -A 40
Looking at the result, there are plenty of matches for the start of the keys but
most of them are missing the end which is END OPENSSH PRIVATE KEY. The ones
which contains both of these are complete and seems to be repetition of the same
key. We’ll be saving it into a file named id_rsa.
Also, make sure that the key has proper permission for it to work
❯ chmod 600 id_rsa
Next up is searching for the ssh command inside the memory dump to use this key with
❯ grep "ssh " memstr.txt
ssh -C -l %u %h exec /usr/sbin/imapd
possible to restrict the ssh key to "borg serve" using the
[00m$ ssh trung1423
ssh trung1423
ssh trung149@188.166.233.168 -p 18888
[00m$ ssh trung1423
ssh trung1423
vm@ubuntu:~$ ssh trung149@188.166.233.168 -p 18888
ssh in a
ssh -C -l %u %h exec /usr/sbin/imapd
We now have both the key and the ssh user, IP and port to establish the SSH connection.
❯ ssh trung149@188.166.233.168 -p 18888 -i id_rsa
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Tue Sep 7 16:51:46 2021 from x.x.x.x
----------------------------------------------------
|This is your prize |
|CTF{use_key_to_login_is_more_secur3_than_password}|
----------------------------------------------------
Connection to 188.166.233.168 closed.