This is part 1 of the Looking Glass writeup. This TryHackMe room is the second machine with an Alice in Wonderland/Lewis Carroll theme. I managed to obtain the user flag, but I realized that it was taking a lot of time to navigate this rabbit hole of a box. I began to wonder if I was spending too much time on challenges that, while helpful for training my brain muscles related to puzzle solving in a Linux environment, wouldn’t be as useful in a real work setting. So, I stopped after getting the user flag. I may return to complete this room at some point in the future, but for now, I’m happy with my progress.
Table of Contents
Scanning
The NMap scan quickly showed something odd about this machine, compared to the other ones I did:
Nmap scan report for ip-10-10-191-113.eu-west-1.compute.internal (10.10.191.113) Host is up (0.00050s latency). Not shown: 916 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 3f:15:19:70:35:fd:dd:0d:07:a0:50:a3:7d:fa:10:a0 (RSA) | 256 a8:67:5c:52:77:02:41:d7:90:e7:ed:32:d2:01:d9:65 (ECDSA) |_ 256 26:92:59:2d:5e:25:90:89:09:f5:e5:e0:33:81:77:6a (EdDSA) 9000/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9001/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9002/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9003/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9009/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9010/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9011/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9040/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9050/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9071/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9080/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9081/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9090/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9091/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9099/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9100/tcp open jetdirect? 9101/tcp open jetdirect? 9102/tcp open jetdirect? 9103/tcp open jetdirect? 9110/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9111/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9200/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9207/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9220/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9290/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9415/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9418/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9485/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9500/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9502/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9503/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9535/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9575/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9593/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9594/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9595/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9618/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9666/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9876/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9877/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9878/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9898/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9900/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9917/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9929/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9943/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9944/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9968/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9998/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 9999/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10000/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10001/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10002/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10003/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10004/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10009/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10010/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10012/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10024/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10025/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10082/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10180/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10215/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10243/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10566/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10616/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10617/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10621/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10626/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10628/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10629/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 10778/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 11110/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 11111/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 11967/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 12000/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 12174/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 12265/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 12345/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 13456/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 13722/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 13782/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) 13783/tcp open ssh Dropbear sshd (protocol 2.0) | ssh-hostkey: |_ 2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA) MAC Address: 02:36:DF:DD:78:FF (Unknown) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.60%E=4%D=4/12%OT=22%CT=1%CU=42854%PV=Y%DS=1%DC=D%G=Y%M=0236DF%T OS:M=64364915%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A OS:)SEQ(SP=100%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M23 OS:01ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11) OS:WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W= OS:F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N OS:)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0 OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7 OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN= OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 33.312 days (since Thu Mar 9 22:31:36 2023) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=256 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.50 ms ip-10-10-191-113.eu-west-1.compute.internal (10.10.191.113) NSE: Script Post-scanning. Initiating NSE at 07:00 Completed NSE at 07:00, 0.01s elapsed Initiating NSE at 07:00 Completed NSE at 07:00, 0.00s elapsed
As it is possible to see from the above result, the machine had port 22 open with a standard SSH service, and then numerous ports between 9000 and 13783 open with a different SSH service called Dropbear.
I searched the internet for vulnerabilities about these services, however, I did not find any useful information in this case.
I then decided to connect to some of those ports to see what would happen (maybe there was a root or a guest account with a blank password) but after a pretty much standard message, I noticed a keyword at the bottom of the service reply: “Higher”.
I attempted a few more times with other ports too, to confirm a suspicion:
root@ip-10-10-12-160:~# ssh root@10.10.64.234 -p 9000 The authenticity of host '[10.10.64.234]:9000 ([10.10.64.234]:9000)' can't be established. RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[10.10.64.234]:9000' (RSA) to the list of known hosts. Lower Connection to 10.10.64.234 closed. root@ip-10-10-12-160:~# ssh root@10.10.64.234 -p 13783 The authenticity of host '[10.10.64.234]:13783 ([10.10.64.234]:13783)' can't be established. RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[10.10.64.234]:13783' (RSA) to the list of known hosts. Higher Connection to 10.10.64.234 closed.
I then confirmed that this was a challenge similar to one I did a couple of years ago during a hacking convention, which also hosted CTFs (not sure if the Defcon, Hacktivitycon or another one).
Initial access
“Higher” and “Lower” were hints about finding the right port. Solving this challenge would be as simple as creating a script that connects to the SSH ports, get the last keyword of the message, and adjust the next connection port number accordingly.
I ended up using the following Bash script to solve this challenge,and it worked flawlessly:
#!/bin/bash ip="10.10.64.234" start_port=9000 end_port=13783 low=$start_port high=$end_port while [ $low -le $high ]; do mid=$(( (low + high) / 2 )) # Connect to the SSH server and save the response to a variable response=$(echo "yes" | ssh -o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" -o "LogLevel ERROR" -p $mid root@$ip) # Check if the response contains "Higher" or "Lower" if [[ $response =~ "Higher" ]]; then high=$((mid - 1)) elif [[ $response =~ "Lower" ]]; then low=$((mid + 1)) else correct_port=$mid break fi done if [ -n "$correct_port" ]; then echo "The correct port is: $correct_port" else echo "The correct port was not found." fi
I found the right port, and when connecting to it I would get in response an encrypted version of the poem Jabberwocky:
After the ciphertext, the machine was waiting for me to input “the secret”, which I thought it could be inside the poem.
This part took quite a while to solve because I had to try different online services to understand how that text was encrypted.
Eventually I found out that it was using Vigenère cipher and thanks to https://ciphertools.co.uk I could find the encryption key:
With the key I could decipher the text and see the last line, that contained the “secret” that the prompt was asking me in the command line:
Entering the secret word, would provide you with the credentials of the user “jabberwock”. Later I would find out that every time you boot the machine both these credentials and the original port with the poem would change (this means that if for any reason you need to stop and start again the machine, you need to rerun the script to find the correct port with the encrypted poem, and then insert the secret word to get the new credentials for the user jabberwock).
Logging in to port 22 with the newly found credentials would give you access to the user home, with the user.txt file with the first flag (mirrored, keeping it in theme with the Looking glass).
After getting the user flag, I’ve looked around and found out that the user jabberwock had sudo access as root to the reboot service.
I’ve also saw that there was a script in the jabberwock home folder that was called at reboot by another user via crontabs:
Lateral movements
It was easy to understand what to do next: change the script in the jabberwock folder to a reverse shell for example, and reboot via sudo so that I would get the shell as user tweedledum.
The problem was that when looking at the home folder, I saw there were several other users/characters of the book (I think 3 more users + the root), so this made me realize that this machine would take a longer time then expected to finish it.
While it was good fun, it also took me some time to go through these initial puzzles, more than I wanted, and I decided for now to stop here and, as mentioned in the introduction, focus on other boxes and rooms that would be more useful for me to improve the skills I would actually need for and use on a job.