Pwned #0
Welcome to my series where i will provide various walkthroughs of CTF challenges out there to root.
For starters i decided to take on a beginner-intermediate VM from Vulnhub. That site is a great resource for playing around with vulnerable machines. The recently created “Connect the Dots: 1” seemed like the challenge i was looking for. So lets get started.
https://www.vulnhub.com/entry/connect-the-dots-1,384
After the machine was booted up in my local network a quick range scan provided me with the direct IP as the image was configured with DHCP. So the first step was to run a nmap scan to see what is available to interact with

Nothing too crazy but an Apache on Port 80 and SSH on 7822 looked like the most interesting points to start at. Comments inside the source of the index.htm lead me straight to another directory on the server without the need of dirbuster or similar.

Looking at that directory i clearly saw the file that obviously does not belong there. bootstrap.css is fine but bootstrap.cs seemed strange.

Indeed that file had some strange content. Some values ciphered in JSFuck

After adding up the values of b1 — b10 and decoding that to plain JS i found the first hint:
alert(“You’re smart enough to understand me. Here’s your secret, TryToGuessThisNorris@2k19”)
So i tried to login over SSH with norris:TryToGuessThisNorris@2k19 which worked perfectly and got me the first Flag in the user.txt

From here i did the standard post-exploitation stuff like listing interesting directories, SUID GUID checks etc. Nothing too crazy was going on.
I was not able to run any sudo commands directly
No juicy packages like wget, find or nc were running as root
Most of the recent exploits for the Kernel and other packages were failing because the machine was created freshly only 5 days ago.
I don’t want to get further into every check i did as this is supposed to be a walkthrough, but my effort to privilege escalate over exploits failed. The solution was much simpler then i initially thought:
The output of the groups command for the norris user shows that he is part of the sudo group. But norris could not use sudo directly as the he was not included in the sudoers file it seemed. Luckily the package pkexec was installed wich allowed me to run commands as another user (including su) as long as the executing user is part of the sudo group. The initial use of pkexec failed with a strange error though. Somehow the authentication failed:

This should normally work right? So i did some research and eventually found the solution for that error under an open github issue:
https://github.com/NixOS/nixpkgs/issues/18012

Using that approach the call finally worked. I was able to switch to root using pkexec and redefining the password using passwd with my own pass. The only thing left was to find the last flag.

#Pwned
Bonus
Inside the home directory of norris are some backup files of images used for the webserver. When you open the game.jpg with a text editor you will find a hint in morse code inside:
-. — ……. -. — — .-. .-. .. … — .. — ……. -. — — — ..- . — — . …- . ……. — .- -.. . ……. — …. .. … ……. ..-. .- .-. .-.-.- ……. ..-. .- .-. ……. ..-. .- .-. ……. ..-. .-. — — — ……. …. . .- …- . -. ……. . — .- -. -. .- ……. … . . ……. …. . .-.. .-.. ……. -. — — . — .. — .. ……. …. .- …. .- ……. -. — — — ..- ……. … ..- .-. . .-.. -. — ……. — .. … … . -.. ……. — . — .. — ……. -.. .. -.. -. . — — . — ……. -. — — — ..- .. — .. ……. — — …. ……. -.. .- — -. ……. — -. — ……. -… .- — — . .-. -. — ……. .. … ……. .- -… — — ..- — ……. — — — ……. -.. .. . ……. .- -. -.. ……. .. ……. .- — ……. ..- -. .- -… .-.. . ……. — — — ……. ..-. .. -. -.. ……. — -. — ……. -.-. …. .- .-. — . . .-. ……. … — — ……. — .- ..- .. -.-. -.- .-.. -. — ……. .-.. . .- …- .. -. — . ……. .- ……. …. .. -. — ……. .. -. ……. …. . .-. . ……. -… . ..-. — — .-. . ……. — …. .. … ……. … -. — … — . — ……. … …. ..- — … ……. -.. — — . — -. ……. .- ..- — — — — .- — .. -.-. .- .-.. .-.. -. — .-.-.- ……. .. ……. .- — ……. … .- …- .. -. — . ……. — …. . ……. — . .- — . . — .- -. — ……. — — — ……. — -. — ……. -.. ..- -. — . . — — -. ……. .. -. ……. .- ……. . — — . … . -.-. .-. . — ..-. .. .-.. . . — — . ……. . — …. .. -.-. …. ……. .. … ……. . — . ..- -… .-.. .. -.-. .-.. -. — ……. .- -.-. -.-. . … … .. -… .-.. . .-.-.-
This translates to
y_norris,_you’ve_made_this_far._far_far_from_heaven_wanna_see_hell_now?_haha_you_surely_missed_me,_didn’t_you?_oh_damn_my_battery_is_about_to_die_and_i_am_unable_to_find_my_charger_so_quickly_leaving_a_hint_in_here_before_this_system_shuts_down_automatically._i_am_saving_the_gateway_to_my_dungeon_in_a_’secretfile’_which_is_publicly_accessible.
I have found the secretfile and restored the vi session before i found that hint though. In the secretfile you will find the password for the second user morris on that machine. But the morris user does not help you to get root.
