Hello. I am doing the Penguin Land practice lab, and cannot find how to get into flag_two. I’m guessing it has to do with /usr/bin/base64 and finding an ssh key as that’s the hint, but I do not know how to approach this at all. I also saw another topic about this same lab, but it wasn’t helpful. Any help would be very much appreciated! Thanks
Hey there - I’ve posted a sanitized copy of the instructor’s solution guide for flag 2 below. This should provide some direction without revealing the exact commands.
If you recall from the previous enumeration step, base64 had SUID permission but couldn’t be ran by the cybrary user, although apparently the flag_one user can. Recall that a user’s SSH key is in the “.ssh” directory of a user and typically is “id_rsa”.
So using the base64 binary, we can use it to get file disclosure on flag_two’s private ssh key.
Then, setting the permissions to 0600 on the file, it can be used to access flag_two’s account and the final flag.
Recall that you only have to complete 5 of the available challenges in the Penetration Tester Practice section, so if you’re struggling with this one, it might be worth looking at a different challenge.
1 Like