1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

$ nmap -sN 192.168.123.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-04 08:35 CST.
PORT     STATE         SERVICE
Nmap scan report for Rotating-Fortress.lan (192.168.123.153)
Host is up (0.00050s latency).
Not shown: 999 closed ports
PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 08:00:27:6B:8C:FA (Oracle VirtualBox virtual NIC)

Nmap done: 256 IP addresses (4 hosts up) scanned in 9.65 seconds

## root @ Sec in /tmp [8:35:14]
$ nmap -A -p- 192.168.123.153
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-04 08:40 CST
Nmap scan report for Rotating-Fortress.lan (192.168.123.153)
Host is up (0.00036s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
27025/tcp open  unknown
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, Kerberos, NULL, RPCCheck, TLSSessionReq:
|     Connection establised
|     Requesting Challenge Hash...
|     Connection Closed: Access Denied [Challenge Hash Did Not Return Any Results From Database]
|   GenericLines, RTSPRequest, SSLSessionReq:
|     Connection establised
|_    Requesting Challenge Hash...
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port27025-TCP:V=7.70%I=7%D=11/4%Time=5BDE3FF5%P=x86_64-pc-linux-gnu%r(N
SF:ULL,91,"Connection\x20establised\x20\nRequesting\x20Challenge\x20Hash\.
SF:\.\.\x20\nConnection\x20Closed:\x20Access\x20Denied\x20\[Challenge\x20H
SF:ash\x20Did\x20Not\x20Return\x20Any\x20Results\x20From\x20Database\]\x20
SF:\n")%r(GenericLines,35,"Connection\x20establised\x20\nRequesting\x20Cha
SF:llenge\x20Hash\.\.\.\x20\n")%r(GetRequest,91,"Connection\x20establised\
SF:x20\nRequesting\x20Challenge\x20Hash\.\.\.\x20\nConnection\x20Closed:\x
SF:20Access\x20Denied\x20\[Challenge\x20Hash\x20Did\x20Not\x20Return\x20An
SF:y\x20Results\x20From\x20Database\]\x20\n")%r(HTTPOptions,91,"Connection
SF:\x20establised\x20\nRequesting\x20Challenge\x20Hash\.\.\.\x20\nConnecti
SF:on\x20Closed:\x20Access\x20Denied\x20\[Challenge\x20Hash\x20Did\x20Not\
SF:x20Return\x20Any\x20Results\x20From\x20Database\]\x20\n")%r(RTSPRequest
SF:,35,"Connection\x20establised\x20\nRequesting\x20Challenge\x20Hash\.\.\
SF:.\x20\n")%r(RPCCheck,91,"Connection\x20establised\x20\nRequesting\x20Ch
SF:allenge\x20Hash\.\.\.\x20\nConnection\x20Closed:\x20Access\x20Denied\x2
SF:0\[Challenge\x20Hash\x20Did\x20Not\x20Return\x20Any\x20Results\x20From\
SF:x20Database\]\x20\n")%r(DNSVersionBindReqTCP,91,"Connection\x20establis
SF:ed\x20\nRequesting\x20Challenge\x20Hash\.\.\.\x20\nConnection\x20Closed
SF::\x20Access\x20Denied\x20\[Challenge\x20Hash\x20Did\x20Not\x20Return\x2
SF:0Any\x20Results\x20From\x20Database\]\x20\n")%r(DNSStatusRequestTCP,91,
SF:"Connection\x20establised\x20\nRequesting\x20Challenge\x20Hash\.\.\.\x2
SF:0\nConnection\x20Closed:\x20Access\x20Denied\x20\[Challenge\x20Hash\x20
SF:Did\x20Not\x20Return\x20Any\x20Results\x20From\x20Database\]\x20\n")%r(
SF:SSLSessionReq,35,"Connection\x20establised\x20\nRequesting\x20Challenge
SF:\x20Hash\.\.\.\x20\n")%r(TLSSessionReq,91,"Connection\x20establised\x20
SF:\nRequesting\x20Challenge\x20Hash\.\.\.\x20\nConnection\x20Closed:\x20A
SF:ccess\x20Denied\x20\[Challenge\x20Hash\x20Did\x20Not\x20Return\x20Any\x
SF:20Results\x20From\x20Database\]\x20\n")%r(Kerberos,91,"Connection\x20es
SF:tablised\x20\nRequesting\x20Challenge\x20Hash\.\.\.\x20\nConnection\x20
SF:Closed:\x20Access\x20Denied\x20\[Challenge\x20Hash\x20Did\x20Not\x20Ret
SF:urn\x20Any\x20Results\x20From\x20Database\]\x20\n");
MAC Address: 08:00:27:6B:8C:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms Rotating-Fortress.lan (192.168.123.153)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.99 seconds

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

$ dirb http://192.168.123.153/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Nov  4 08:55:34 2018
URL_BASE: http://192.168.123.153/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.123.153/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/ ----
==> DIRECTORY: http://192.168.123.153/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/icons/
+ http://192.168.123.153/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/index.html (CODE:200|SIZE:91)
==> DIRECTORY: http://192.168.123.153/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/resources/
+ http://192.168.123.153/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/robots.txt (CODE:200|SIZE:72)

---- Entering directory: http://192.168.123.153/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/icons/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.123.153/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/resources/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sun Nov  4 08:55:36 2018
DOWNLOADED: 4612 - FOUND: 2

1
2
3
4

User-agent: *
Disallow: /
Disallow: /icons/loki.bin
Disallow: /eris.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

$ strings 'loki.bin'
/lib64/ld-linux-x86-64.so.2
libc.so.6
gets
puts
putchar
printf
__cxa_finalize
strcmp
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
=q#
5j#
=!#
=n"
=p!
=r  
AWAVI
AUATL
[]A\A]A^A_
access_denied
access_granted!
Enter Password:
;*3$"
backd00r_pass123
GCC: (Debian 7.3.0-21) 7.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7090
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
buffer.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
putchar@@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
tmp2
_edata
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
strcmp@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
access_granted
gets@@GLIBC_2.2.5
__libc_csu_init
__bss_start
main
access_denied
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

## root @ Sec in /tmp [9:06:34]
$ ./loki.bin
zsh: 权限不够: ./loki.bin

## root @ Sec in /tmp [9:06:40] C:126
$ chmod +x loki.bin

## root @ Sec in /tmp [9:06:43]
$ ./loki.bin
Enter Password: backd00r_pass123

Did you really think it was going to be this easy? Nice try but no cigar ;)
access_denied

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

$ ./loki.bin
Enter Password: xBspsiONMSNXeVuiomF

access_granted!
Welcome back Loki
To do:
- Operation Smoke And Mirrors [X]
- Ask Zeus whats going on he's acting strange []
- Project FortNET [In Progress]
- Operation 679 [In Progress]
- Build a better decoder, just got to remember the rules: split '|', ++ ' ', // '.', Caesar cipher so letters are represented with numbers then shifted by the key which is displayed above each message []
- Operation Dual USB Assault [X]
- Update Security []
- Flag 2{tr09u2} What would happen if I just say...input 1000 A's?

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

 #!/bin/bash

FILE=$1
KEY=$2

echo "[+] Trying $KEY..."

for x in $(cat $FILE | sed -r -e 's/^\|//' -e 's/\|$//' -e 's/\|\|/\n/g'); do
  grep -E "^[0-9]+$" <<<"$x" &>/dev/null && \
    printf "\\$(printf "%o" $((x + $KEY)))\n" || \
      echo "$x"
done \
| tr -d '\n' \
| sed -e 's/\+\+/ /g' -e 's/\/\//./g'

echo
echo "-----"

> * 保存为`icekam.sh`文件。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

root@Sec:/tmp## for key in $(seq 1 99); do ./icekam.sh 1.txt $key; done

-----
[+] Trying 52...
|38EUS HERE. AFTER A LONG TIME O18| THINKING I HAVE DECIDED TO RE32|IRE FROM PROJECT ROTATING FORT30|ESS. HOWEVER I DO NOT WANT TO 23|ILL THE PROJECT WITH MY RETIRE25|ENT SO I AM PRESENTING YOU ALL |A CHALLENGE. I HAVE SET UP A P33|ZZLE ON THE SERVER IF YOU CAN 19|ET PAST ALL PUZZLES THE SERVER |IS YOURS. BY THE WAY I HAVE RE25|OVED EVERYBODIES LOGINS FROM T20|E SERVER EXPECT MINE SO THIS W27|NT BE EASY. TAKE THIS IT MIGHT |BE USEFUL EDVQYHWMFVQRDUCQJBZU25|YSRWDGMFDHT. GOOD LUCK.
-----
-----
[+] Trying 84...
|38eus here. after a long time o18| thinking i have decided to re32|ire from project rotating fort30|ess. however i do not want to 23|ill the project with my retire25|ent so i am presenting you all |a challenge. i have set up a p33|zzle on the server if you can 19|et past all puzzles the server |is yours. by the way i have re25|oved everybodies logins from t20|e server expect mine so this w27|nt be easy. take this it might |be useful edvqyhwmfvqrducqjbzu25|ysrwdgmfdht. good luck.
-----

1
2
3
4
5
6
7
8
9

root@Sec:/tmp## for key in $(seq 1 99); do ./icekam.sh 2.txt $key; done
-----
[+] Trying 29...
WE WILL BE RESTRICTING ACCESS 55|O THE SERVER UNTIL FURTHER NOT44|CE FOR AN EVENT. ANTHENA.
-----
-----
[+] Trying 61...
we will be restricting access 55|o the server until further not44|ce for an event. anthena.
-----

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

root@Sec:/tmp## for key in $(seq 1 99); do ./icekam.sh 3.txt $key; done
[+] Trying -3...
zeus has asked me to mak104| an encoder for our upda119|es. this is me testing i119| out. if it works i will |be sending it to the res119| of you as well as a dec114|der. tir.
-----

-----
[+] Trying -35...
ZEUS HAS ASKED ME TO MAK104| AN ENCODER FOR OUR UPDA119|ES. THIS IS ME TESTING I119| OUT. IF IT WORKS I WILL |BE SENDING IT TO THE RES119| OF YOU AS WELL AS A DEC114|DER. TIR.
-----

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

wget http://192.168.123.153/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/resources/Harpocrates.gif
root@Sec:/tmp## strings Harpocrates.gif |tail
   <xmpDM:altTimecode
    xmpDM:timeValue="00:00:00:00"
    xmpDM:timeFormat="30Timecode"/>
  </rdf:Description>
 </rdf:RDF>
</x:xmpmeta>
<?xpacket end="r"?>
~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!
;Flag 3{~ATXVfzXk} he's the sneaky man [101] goto: /|117||107||126||104||109||108||105||117||123||114||125||117||122||117||105||112||114||104||123||104||121||108||108||118||122||126||107||114||108||123||103||121|/
the link will not work during isolation

1
2
3
4

root@Sec:/tmp## ./icekam.sh 4.txt -5
[+] Trying -5...
pfychgdpvmxpupdkmcvctggquyfmgvbt
-----