Zion Walkthrough

Scan the host with nmap –A –T4 –p- 192.168.1.7 –vv

Scan it with dirb http://192.168.1.7

The robots files got nothing in them, the index.php file is a page with two choices:

The two buttons redirect to the same page which needs a login username and password, f oi started BurpSuite to see what it can catch:

So i started with the illusion button and i got a new path /zion/login.php and send it to Repeater and i got some encrypted massages:

You can tell that the two massgaes is 64base encryption, decoding the first one is:

“It’s all illusion!

The world you believe in is nothing more than the result of cheap manipulation to make your life easier.

Unfortunately you are blind to see the truth.”

Decoding the second on is:

“The Matrix will find you, they are coming.

Follow the white rabbit and be careful not to fall into its den.

It is long and fast. It’s narrow and wide!

/zion/rabbit-hole/aliceinwonderland-cha.jpg”

Opening that page gave me:

So let’s go back and choose the other button the Truth button and see what we got:

We got another encoded messages, the first one is:

“Decrypt the message that Zion left for you. ‘Open your mind’ and remember to base it on not using any of the characters ”+”, “-“, “/” and “=”.”

The second one i couldn’t decoded it as 64base decoder, so i googled “Base64, except it excludes +, / and =” and i got this:

So the encoder is base62, googling base62 decoder got me a site http://decode-base62.nichabi.com

The message is about username and password but we only have the username which is Morpheus.thematrix the password is in the main page as the message says, we can use Crewl to extract the text save it in a file and use BurpSuit to do the brute force for us:

As we can see the password is interpreted, when we use it we will get login to a new page:

Up in the page there is a button “Private Key” if we click it we will get a private key to ssh with for a user name w.rabbit:

Now copy the key to a file and make sure it looks like this:

Now we ssh to the host using: ssh –i ssh_key w.rabbit@192.168.1.7

Let’s see what we got here, we got a warring.txt file:

Now after looking around for a while i found a password in /var/mail/w.rabbit and then sudo –l with it:

Ok now we can copy the flag.txt file from dozer home directory, but the problem is the copy command will copy the file but the permission is for the user dozer only and we can’t read the file, the trick is i went through the command cp man page and i found this :

This attribute will take the ownership of dozer out of the file so we can read it, so the command will be something like this:

sudo –u dozer /bin/cp /home/dozer/flag.txt –no-preserve=mode,ownership /tmp/final_flag.txt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s