Gracker level5 (Recon with Tron!)

Try the challenge thoroughly before reading the write-up. Otherwise, it's your loss.

We ssh to [email protected] and authenticate using the password we had obtained after solving the previous level.

Recap of previous level.

The recap provides an alternate way of solving the challenge using a symlink(ln -s /bin/sh uname) and changing the PATH environment variable to the current directory. It too was a really cool method.

Level5

The story of this level tells us that there is a service running on one of the ports(not given which). So we’ll have to do a bit of recon to figure out which port it is. Well, thankfully we have been provided with the nmap tool. Otherwise we might have had to write our own port scanner. While you are at it, do check this one that I wrote(not for the challenge though).

The range of the ports has been provided in the story to be 0x5ad to 0xdad, which is 1453 to 3501 in decimal. So, scanning this range for open ports using nmap:

[email protected]:~$ nmap 127.0.0.1 -p 1453-3501  

Starting Nmap 6.47 ( http://nmap.org ) at 2016-06-05 19:19 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (1.00s latency).
Not shown: 2048 closed ports
PORT     STATE SERVICE
2989/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 102.08 seconds

Thus 2989 is an open port.

We then try to netcat into this open port, and are presented with the following

[email protected]:~$ nc 127.0.0.1 2989
$ whoami
flynn
$ uname -a
SolarOs 4.0.1 Generic_50203-02 sun4m i386
Unknown.Unknown
$ login -n root
Login incorrect
login: backdoor
No home directory specified in password file!
Logging in with home=/
# bin/history
  499 kill 2208
  500 ps -a -x -u
  501 touch /opt/LLL/run/ok
  502 LLLSDLaserControl -ok 1
# 
Broadcast message from [email protected] (pts/0) (Oct 21 16:29:00 2015):

You are too slow.
Mess With the Best, Die Like the Rest!

I had no idea what to make of this. So I followed their third hint and watched the movie: TRON Legacy :P. Also, I needed a break.

This is the part which is important though:

So we just do what Flynn did, and get level5 shell. Woot Woot!

[email protected]:~$ nc 127.0.0.1 2989                                 
$ whoami
flynn
$ uname -a
SolarOs 4.0.1 Generic_50203-02 sun4m i386
Unknown.Unknown
$ login -n root
Login incorrect
login: backdoor
No home directory specified in password file!
Logging in with home=/
# bin/history
  499 kill 2208
  500 ps -a -x -u
  501 touch /opt/LLL/run/ok
  502 LLLSDLaserControl -ok 1
# LLLSDLaserControl -ok 1
You entered the Grid!

[email protected]:~$ cat /home/level6/.pass

We now have the flag to the next level. I am not revealing the password here so that the readers try the challenge on their own. It was a fun challenge overall, and the storyline seems to be getting pretty interesting :) .