Goal: Read the /root/message.txt file. Reading this message will help our princess send the necessary data to the “Rebel Alliance” and destroy this new super weapon from the Galactic Empire: The Death Star.
My first goal to get to the message in the goal statement is to enumerate this host. I used NAT networking, and based on the description, it uses DHCP, so I know its on the same network as my Kali instance. Netdiscover is a great tool for this
Awesome, now we know the IP, so we can enumerate the networking capabilities of this machine using NMAP, trying the -A which will enable OS detection, version detection, script scanning, and traceroute to the host.
So it looks like everything is filtered, which would make sense because if we go back to the description at vulnhub.com, it says “Warning: It is not only through “port scan” that you can get information.” So I am going to try a UDP scan using the -sU switch and see what comes back.
Nothing there either, so let’s check to see if there is any new traffic on the network. It seems like there is some UDP traffic going on, and these are the messages that are getting transmitted. The two ports being used are 357 and 160, other than that, I don’t really see much to pivot into.
So we are going to have to send that code back to the host in order to gain access to the blueprint. The easiest way to do this is just to use netcat. Monitoring the packets as they come in, I use this command to send the code to the host:
I get back what looks like a base-64 encoded file. I save that out to a file and base64 decode it using the -d switch.
I get a jpg file at the end of that, which looks like a Death Star blueprint… how cool is that.
So there is some interesting notes on here, specifically “Hangar Bay 327” and “code to unlock: 197719801983” which actually correspond to the dates of the original Star Wars movies release dates. Before I move onto anything else, I want to run strings against the file, check metadata, and check for the presence of steganography.
Strings returns nothing of any value and neither does exiftool. Steghide does give us some good information though, when used with the previous code as a password.
So this sounds like port knocking, and with 12 characters in the “code to unlock,” seems like it should work. I like using @grongor’s port knocking script, found here https://github.com/grongor/knock.
Port status before the knock:
Port status after knock:
Now to attempt access. Using netcat, we see that SSH is running on that port, but we have no users and only one password. Based on the data we see on the SSH screen, we have a new username and a possible password… but what is “BBY” in regards to a year and what was Erso’s wife’s name? To Google we go…
Figure 1 – from https://starwars.fandom.com/wiki/Lyra_Erso
So who knows what BBY is, but we have the info we need now, lyra13 should be the password.
Lets take a look around now
So before I get too deep into the internal recon of this box, I am going to get some sleep and come back to knock this out tomorrow. It seems like I am going to need to privesc to get into that directory, but we will figure that out when the time comes.