Set the Controls for the Heart of the Sun
“In 1965, one of the most influential bands of our times was formed.. Pink Floyd. This boot2root box has been created to celebrate 50 years of Pink Floyd’s contribution to the music industry, with each challenge giving the attacker an introduction to each member of the Floyd.
You challenge is simple… set your controls for the heart of the sun, get root, and grab the flag! Rock on!”
Before we begin.. we had better get some Floyd tunes rocking. My choice of album today is Pink Floyd’s sixth studio album; Meddle (1971). With the music sorted, let’s leave The Dark Side of the Moon and Set the Controls for the Heart of the Sun!
Just like all boot2root CTF challenges, we need to find our victim machine:
There it is
(192.168.240.157) at 00:0c:29:1c:22:ef; just Another Brick in the Wall.
Time for some nmap Pink Floyd Discovery:
Let’s see if we can find any hints in the network traffic:
Okay then… there is lots of broadcast traffic coming from The Wall. Let’s filter that out:
It looks like The Wall is trying to connect to any host on the subnet listening on port 1337. Time to set up a listener for port 1337.
Just like Money, “it’s a hit”!
“… don’t be surprised when a crack in the ice appears under your feet”. Interesting.. a hint perhaps? Like all good challenges, enumeration is always the key. Port scanning the host again reveals port 80/tcp is now open. Now we are getting somewhere… let’s take a look. Browsing to port 80 presents us with a great photograph of all original band members:
Let’s look a little harder:
Some interesting comments there. First off, let’s decode that hex:
Decoding the hex reveals another secret; is it encoding or a hash? Looks like an MD5 hash to me, but let’s double check:
Time to decrypt the hash:
33115730dbbb370fcbe9720fe632ec05:divisionbell. Too easy… so now we have
steg=divisionbell, but what can we do with that? Let’s look at the comments in the webpage again. “The Publius Enigma is a mystery surrounding the Division Bell album. Publius promised an unspecified reward for solving the riddle, and further claimed that there was an enigma hidden within the artwork.”
More decoding/decrypting! Base64 decoding first:
Running the hash through hash-identifier reveals it’s also an MD5 hash. Let’s decrypt it:
“SydBarrett” and “pinkfloydrocks”. Sounds like a username and password to me?
After some time fuzzing the web application and pottering around looking for clues, I take another look at the text file which was hidden in the pinkfloyd jpg. “Did you know? In 1965, The Pink Floyd Sound changed their name to Pink Floyd.”
1965? Surely not another port opening on the firewall?
Yep… port 1965/tcp is open, and it’s an SSH port. Nice!
So it looks like we have the correct username and password combination, however we cannot simply SSH, we must sftp.
Pottering around the sftp directory, I grab the following loot:
bio.txt file had exactly what you would expect… Syd’s biography. Apart from that there doesn’t seem to be any hints or other useful information.
Next.. the profile pic:
What a legend! .. but no real hint that I can see. Running exiftool and strings on the image doesn’t give us any clues either.
Next.. the sent-items:
This looks promising. Reference to the stash (.stash) and to use the scalpel when we find the stash. Let’s take a look at the
eclipsed_by_the_moon file we grabbed from the stash:
A compressed gzip. Uncompressing the file gives us another file,
Looks like a partition of some sort. Mounting the partition and taking a closer look gives us nothing to work with? “Usual deal.. just use the scalpel when you find it.”. Sounds like it could be forensics to me.. let’s take a closer look with scalpel:
jpg file carved out hey?… let’s take a look:
It’s Roger Waters.. and he’s kind enough to give us a password.
Moving onwards there’s only one thing to do; try logging on as Roger:
Once again… we have a
bio.txt….. No lead there.
There’s a secret-diary, but no real lead there either.
Let’s take a look at the profile image:
Nothing obvious here, and no results with strings or exiftool. Taking a look around Roger’s home directory doesn’t reveal any clues, so let’s start our normal enumeration techniques. Firstly, let’s look for setuid binaries:
brick binary is world executable, so let’s take a look:
Nice! Just like that we have pivoted to the
NickMason account. We head to Nick’s home directory, and again we find a bio text and a profile pic. Let’s take a look at the
bio.txt file first:
I’m glad I read Nick’s bio. The last paragraph says it all… “You’ll find your password in my profile pic.”. After transferring the file, it doesn’t take long to realise that this is not actually a jpg file.. it’s an Ogg file:
There is no actual profile picture for Nick on The Wall, so here’s one I quickly grabbed from google :)
Listening to the audio we can very quickly hear morse code embedded within the piano music. Let’s use Sonic Visualiser to see if we can pick the morse in the spectrogram.
Layer > Add Spectrogram > All Channels Mixed:
Jotting down the morse gives us the following:
.-. .. -.-. .... .- .-. -.. .-- .-. .. --. .... - .---- ----. ....- ...-- ..-. .- .-. ..-. .. ... .-
Decoding this results in the following ascii string:
SSH’ing into The Wall as Richard Wright doesn’t seem to work, and quite frankly trying
1943farfisa, and a number of other permeations of the password only resulting in me getting closer to Brain Damage. And then I had a light bulb moment.. what if Richard isn’t allowed to SSH into the box?
And there it is. Only Syd and Roger are able to SSH in to The Wall.
How frustrating! It’s ok… Breathe, “breath in the air”.
Once again we have a
bio.txt file, and a profile picture. The
bio.txt doesn’t seem to have any hints or data. Let’s take a look at the profile pic:
Nothing obvious in the profile picture either. Let’s take a look at Richard’s mailbox, as the file size indicates there may be some email:
Good stuff! An email conversation between Richard Wright and David Gilmour. It looks like Richard is having some dramas remembering linux commands, so David has kindly created Richard a binary. Nice. Do you remember from our previous search for setuid binaries, we found one called
brick? Did you also notice, there was also one called
shineon? If not, you were probably just having A Momentary Lapse of Reason. Let’s take a look:
A simple menu for common tasks it would seem. Running through each option doesn’t show anything strange. Let’s take a look with strings:
A simple C program, with one very insecure way of calling a binary.
Success… almost. Looks like we are almost DavidGilmour, but not quite. Let’s take a look around David’s home directory and see what we can find. First up, another bio.. did you really expect anything less? No real hints in the file. Let’s take a look at the profile pic:
Nothing obvious looking at the photo. Let’s look a little closer:
Gotcha! Let’s presume that this is David’s password and actually login as David:
Wish You Were Here don’t you? ;) Let’s keep moving on.. we have to be getting close now. In David’s home directory is a file call
A new website… good stuff! Only one thing to do.. browse away:
Taking a look at the site doesn’t reveal any obvious hints. Let’s take a look at the source prior to proxying with burp:
“Can you see what the Dog sees?” Let’s grab the front page image and take a closer look:
We can barely make out some sort of text where the dog is looking. Fire up gimp and let’s take a better look with ”
hints of lightness”:
By adjusting the brightness and contrast, we can make out two strings:
Looks like another MD5? Passing this through hashcat, and also checking with MD5 Online doesn’t come up with any result? Taking a closer look, it’s possible it could be hex based on the numerals and alpha characters.
“Come on, you target for far away laughter” .. that was just a bit cruel. Let’s see what
Let’s execute it:
Due to the permissions on the file we are unable to strings the binary, or even scp/transfer it to our attacking machine for further analysis. Let’s try the password we found:
No good. After a little bit of stuffing around, I decided to try the actual hex string:
W00t!!!! It doesn’t look like anything has changed in the command prompt, so let’s check if any files have been altered after inputting the correct string:
Ha! Sudoers. “Without a thought of the consequence, I gave into my decadence.”
This is it! The Final Cut! Let’s raise the flag!
If you had a crack at solving The Wall, I hope you enjoyed the challenge. I had a great time creating it. :)
@vulnhub; thank you so much for hosting these challenges for us all!
.. and last but not least, Syd Barrett (RIP), Nick Mason, Roger Waters, Richard Wright (RIP), and David Gilmour. Thank you for 50 years of absolutely amazing tunes… rock on!!!
Until next time, tight lines and happy hacking.