The tool also found a Dockerfile in Zeus home directory: /home/zeus/airgeddon/Dockerfile.
In Zeus home directory we found a version of airgeddon used to intercept/capture WPA/WPA2 handshakes.
In captured folder we found a captured.cap file that could contains an encrypted handshake for a wifi network.
We downloaded the file and with cap2hccapx to convert the file we used hashcat to crack the wifi password.
We got the SSID Too_cl0se_to_th3_Sun and the Wi-Fi password flightoficarus; we then started to expect more Greek mythology names and gods to use in the next steps.
We tried to login as Zeus and Icarus using the Wi-Fi password but we got a SSH login using icarus username and Too_cl0se_to_th3_Sun password on port 2222.
With the help of gods, Athena in this case, we got a domain name: ctfolympus.htb.
And using drill to ask the Bind server on port 53 to return the TXT record we got another hint.
The hint clearly states that to login as prometheus user with password St34l_th3_F1re! we need to port knock on 3456, 8234 and 62431 ports in order to open the SSH port (22, that one from nmap resulted as filtered).
1 2 3 4 5 6 7
HOST=$1 shift for ARG in"$@"; do nmap -Pn --max-retries 0 -p $ARG$HOST done
With a simple script we used nmap to trigger the ports in sequence and wait for the SSH to ask the user password.
In the olympus machine we found the first flag and another message.
From LinEnum and ps aux | grep root we found out that this machine is the owner of all docker container on port 80, 53 and 2222 (Apache, Bind and SSH) and with the hint (serve) we thought that we had to use docker to privesc from prometheus to root since the user could run docker commands.
Hijacking the running containers we were unable to read the root flag even though the user in the container was root: no access on the local volume used in the container (as it should be!).
We then created a Dockerfile to extend a local container (no access on external resources like Docker Hub) to mount the /root folder.
1 2 3
And with docker build . -t dodo we created the image; now to run the container we issued docker run -v /root:/root -t dodo cat /root/root.txt