hubertf's Writeup on TryHackMe's Advent of Cyber 2023 Side Quest 3: Frosteau Busy with Vim Hubert Feyrer, December 2023

TryHackMe offers Cybersecurity training rooms for many tools and techniques. In December 2023, they compiled "Advent of Cyber", a collection with a daily task that gave an introduction to one of many Cybersecurity topics, followed by practical exercises using virtual machines provided. In addition, four side quests (SQs) were made available, which had to be found via QR codes, and then solved. This writeup explains how to find the side quests, and how to solve them. A central page with all my AoC writeups is available.

Getting into the side quest

1. Day 11's Active Directory task leads to side quest 3. Again, I'll not go into details on the daily task, but focus on the side quest.
2. When using the VM of the task, there is a chat log on the Administrator's desktop. The chat shows that screenshots are sent back and forth, together with instructions to crop the screenshots to the important information to not leak anything visible by accident. A useful hint!
3. The chat log has two images, one fullsize, and one cropped. Plus an image that was deleted from the chat.

   

4. The first idea was: undelete the deleted image. Spoiler alert: this was wasted time.
5. As the task's VM didn't have internet connection, getting the images and chatlog out was a bit of a challenge. All that was available was a "shell"-like text-only connection with evil-winrm. After various attempts, I ended up running the evilwinrm-session inside a "script" session, base64-encoding the files, and bringing them to light via "type foo.txt". On the receiving end, I quit the "script" session, then removed unneeded information and decoded the file with "base64 -d foo.txt". Sounds obvioud? Well, maybe for one thing: how do you do base64 encoding on Windows? Preparing for another major battle, this was solved very easily with "Living Off The Land" style, using certutil -encode bla.png bla.txt. Easy, hm?

   

6. After some pondering, I remembered something from last summer's news. About image cropping not working properly. First discovered on Samsung mobile phones, and later on also found with Microsoft's snipping tool. The point was that in cropped screenshots, the full information was still available, and it was possible to recover it. Nicknamed "aCropcalypse", I looked into this.
7. There are several tools available that try to decover the needed information.
8. The first one I tried was a web-based tool. Easy, as no fighting with dependencies and tools is needed. Also, this didn't reveal anything. Was my idea wrong?
9. There was another Acopcalypse-Multi-Tool available on github. Written in python, it was easy to install.
10. The tool needs a number of parameters: original image resolution, and color model. The image size was easy, as the first screenshot was not cropped. The color model was determined by the tool that the screenshot was made - for Microsoft's snipping tool, "RGBA" was the right choice.

    

11. In effect, this gave the QR code to enter side quest 3.

Objectives

1. Well, as in the previous side quests, there wasn't exactly a lot of information on what to do. ``Go forth and ice Frosteau's machine!'' was all there was in the text.
2. What proved to be more useful was the computer screen, that displayed logos of vim, ftp, docker and BusyBox. But you only know that after the fact.
3. Questions to answer were also not so useful, hinting at for flags and yet another yetikey file.

   

Solving the side quest

Part 1: 8075/tcp FTP

1. There as a VM provided, so things started easy with a nmap scan. PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) 80/tcp open http WebSockify Python/3.8.10 8065/tcp open telnet print Ubuntu & close 8075/tcp open ftp BusyBox ftpd (D-Link DCS-932L IP-Cam camera) 8085/tcp open telnet vim 8095/tcp open telnet nano
2. Biggest time wasters were ssh and the webserver on port 80.
3. ports 8085 and 8095 just started vim and nano in a shell - we'll get back to that in a second. ftp on port 8075 was obvious to use, which left 8065 as mysterious service that just printed "Ubuntu" and then closed the connection when connected.
4. Using kali's command line FTP client, ftp ftp://10.10.73.129/ was enough to get into the machine. Login? No login with anonymous FTP, as they teach in TCP/IP kindergarten.
5. Besides a few TXT and PNG files, FTP files showed to interesting flag file. The first one had the first flag right away, the second one only had a mysterious hint: echo $FLAG2. Well, one down, four to go.

Part 2: 8085/tcp vim & 8095/tcp nano

1. Doodling around with vim and nano quickly showed a few points, as follows.
2. Both editors have ways to browse the system. In Nano, pressing ^T (Control-key and "t"). In vim, there are two ways: When using ":r" to read a file, there is a limited file browser. The more comfortable way is using ":Explore" - and you'd think Emacs was bloated. Not with vim!
3. The immediate thought was, of course: how do I get a shell from vi?
4. The obvious answer was, of course: ":!". Which did not work, and even with various :set and :let commands and various sh and busybox binaries found on the system this just all proved just a waste of time.
5. On that journey, looking at all those vim variables the 2nd hint from the FTP server made sense. Using ":echo $FLAG2" gave just that. Two more to go!

Part 3: Mysterious 8065/tcp

1. In side quest 3 so far I've searched the system up and down using the file browsers mentioned above. I've found that the system was pretty empty (nothing in /bin etc.), but as outline above there sere a few copies named "sh" and "busybox".
2. Nothing worked from inside vim or nano, so I looked back at the mysterious port 8065. Not being used to hipster tools like "nc"/netcat or even ncat, I usually prefer to open my TCP connections with "telnet".

   $ telnet 10.10.7.214 8065
   Trying 10.10.7.214...
   Connected to 10.10.7.214.
   Escape character is '^]'.
   
   Ubuntu 22.04.3 LTS
   Connection closed by foreign host.

3. When starting vim and nano the system also printed this Ubunto-message, and looking into /etc/issue the same message can be found.
4. So my guess was: something gets started, but can't.
5. After much guessing, riddling and also a chat with a few smart people on Discord, I had a closer look at /usr/frosty/sh.
6. The file was empty, but what if not so? I tried putting the path of some of the busybox binaries there, tried connecting to port 8065, and eventually got a shell after putting this into /usr/frosty/sh:

   #!/etc/file/busybox

7. Bingo! Even more so, as "id" confirmed this was not only a shell, but actually one running with UID 0 - a root shell. So it's access all areas now! :-)
8. The filesystem still hat very few commands available, so busybox was needed here. To make things easier, a bash-alias helped to make things easy and eventually find the 3rd flag.

   

9. Looking around further on the system, I came across /etc/bootstrap.sh which was only readable by root, so I couldn't reach it with either vim or nano. Looking at it confirmed that the tcp-service on port 8065 was running via /usr/frosty/sh.

   

Part 4: Storage - The final frontier^Wflag

1. So where is flag 4? In previous side quests I was wondering if flags are maybe hidden in unmounted storage devices. E.g. on the webcam from SQ2 I suspected that images are stored on a USB stick (it wasn't).
2. Looking with ps, I saw many processes where I didn't find the corresponding binary, which also made me wonder if we are in some chroot or container.
3. Looking around, fdisk -l quickly showed me a partition /dev/xvda1 on a Xen Virtual block Disk that was not mountet. This is also what Docker uses, giving us a hint on what's going on here.
4. Cautiously I tried mounting it read-only to not make any changes or destroy anything. As that didn't work and we're in a training environment anyways, I took the risk and mounted it read-write, which got the disk mounted successfully.

   

5. Looking around, flag 4 was not hard to find, and besides it was the yetikey3.txt file. Success!

Summary

1. The 3rd side quest consisted of a number of steps to perform in sequence.
2. Using ftp and vim to get to the first two flags was pretty straight-forward.
3. The 3rd flag I found very hard as it involved guessing as to what's happening on port 8065, and how to get things working. Not my favorite part of the show but it worked out ok.
4. Hiding the last flag on unmounted storage proved me right, as such it's the part I liked most about SQ3.
5. Difficulty rating for SQ3 is "insane". I think the way to the 3rd flag justifies it, but only as it's guesswork where I wasn't able to apply analytivs.
   Or maybe I just missed something? Drop me a note if so!