you can download it here: https://www.vulnhub.com/entry/rotating-fortress-101,248/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
root@kali:~# nmap -p 1-65535 -T4 -A 192.168.227.168
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-11 08:49 EDT
Nmap scan report for 192.168.227.168
Host is up (0.00054s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
27025/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, HTTPOptions, Kerberos, RTSPRequest, SMBProgNeg, X11Probe:
| Connection establised
| Requesting Challenge Hash...
| GetRequest:
| Connection establised
| Requesting Challenge Hash...
| Connection Closed: Access Denied [Challenge Hash Did Not Return Any Results From Database]
| Connection Closed: Access Denied [Challenge Hash Did Not Return Any Results From Database]
| NULL, RPCCheck, SSLSessionReq, TLSSessionReq:
| Connection establised
| Requesting Challenge Hash...
|_ Connection Closed: Access Denied [Challenge Hash Did Not Return Any Results From Database]
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port27025-TCP:V=7.70%I=7%D=6/11%Time=5CFFA35F%P=i686-pc-linux-gnu%r(NUL
SF:L,91,"Connection\x20establised\x20\nRequesting\x20Challenge\x20Hash\.\.
SF:\.\x20\nConnection\x20Closed:\x20Access\x20Denied\x20\[Challenge\x20Has
SF:h\x20Did\x20Not\x20Return\x20Any\x20Results\x20From\x20Database\]\x20\n
SF:")%r(GenericLines,35,"Connection\x20establised\x20\nRequesting\x20Chall
SF:enge\x20Hash\.\.\.\x20\n")%r(GetRequest,ED,"Connection\x20establised\x2
SF:0\nRequesting\x20Challenge\x20Hash\.\.\.\x20\nConnection\x20Closed:\x20
SF:Access\x20Denied\x20\[Challenge\x20Hash\x20Did\x20Not\x20Return\x20Any\
SF:x20Results\x20From\x20Database\]\x20\nConnection\x20Closed:\x20Access\x
SF:20Denied\x20\[Challenge\x20Hash\x20Did\x20Not\x20Return\x20Any\x20Resul
SF:ts\x20From\x20Database\]\x20\n")%r(HTTPOptions,35,"Connection\x20establ
SF:ised\x20\nRequesting\x20Challenge\x20Hash\.\.\.\x20\n")%r(RTSPRequest,3
SF:5,"Connection\x20establised\x20\nRequesting\x20Challenge\x20Hash\.\.\.\
SF:x20\n")%r(RPCCheck,91,"Connection\x20establised\x20\nRequesting\x20Chal
SF:lenge\x20Hash\.\.\.\x20\nConnection\x20Closed:\x20Access\x20Denied\x20\
SF:[Challenge\x20Hash\x20Did\x20Not\x20Return\x20Any\x20Results\x20From\x2
SF:0Database\]\x20\n")%r(DNSVersionBindReqTCP,35,"Connection\x20establised
SF:\x20\nRequesting\x20Challenge\x20Hash\.\.\.\x20\n")%r(DNSStatusRequestT
SF:CP,35,"Connection\x20establised\x20\nRequesting\x20Challenge\x20Hash\.\
SF:.\.\x20\n")%r(SSLSessionReq,91,"Connection\x20establised\x20\nRequestin
SF:g\x20Challenge\x20Hash\.\.\.\x20\nConnection\x20Closed:\x20Access\x20De
SF:nied\x20\[Challenge\x20Hash\x20Did\x20Not\x20Return\x20Any\x20Results\x
SF:20From\x20Database\]\x20\n")%r(TLSSessionReq,91,"Connection\x20establis
SF:ed\x20\nRequesting\x20Challenge\x20Hash\.\.\.\x20\nConnection\x20Closed
SF::\x20Access\x20Denied\x20\[Challenge\x20Hash\x20Did\x20Not\x20Return\x2
SF:0Any\x20Results\x20From\x20Database\]\x20\n")%r(Kerberos,35,"Connection
SF:\x20establised\x20\nRequesting\x20Challenge\x20Hash\.\.\.\x20\n")%r(SMB
SF:ProgNeg,35,"Connection\x20establised\x20\nRequesting\x20Challenge\x20Ha
SF:sh\.\.\.\x20\n")%r(X11Probe,35,"Connection\x20establised\x20\nRequestin
SF:g\x20Challenge\x20Hash\.\.\.\x20\n");
MAC Address: 00:0C:29:80:69:B3 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 192.168.227.168

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 154.29 seconds

check the http service.

1

walked around the page

2

seems to be some encrypted message.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
root@kali:~# dirb http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Tue Jun 11 11:56:27 2019
URL_BASE: http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/ ----
==> DIRECTORY: http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/icons/
+ http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/index.html (CODE:200|SIZE:91)
==> DIRECTORY: http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/resources/
+ http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/robots.txt (CODE:200|SIZE:72)

---- Entering directory: http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/icons/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/resources/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Tue Jun 11 11:56:30 2019
DOWNLOADED: 4612 - FOUND: 2
root@kali:~# curl http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/robots.txt
User-agent: *
Disallow: /
Disallow: /icons/loki.bin
Disallow: /eris.php
root@kali:~# wget http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/icons/loki.bin
--2019-06-11 11:57:52-- http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/icons/loki.bin
Connecting to 192.168.227.168:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15712 (15K) [application/octet-stream]
Saving to: ‘loki.bin’

loki.bin 100%[=============================================>] 15.34K --.-KB/s in 0s

2019-06-11 11:57:52 (171 MB/s) - ‘loki.bin’ saved [15712/15712]

root@kali:~# file loki.bin
loki.bin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=5ee04fe5ea96173af27612ff707628d8e684db16, not stripped

throw loki.bin into idapro.

3

take user’s input compare with tmp, tmp is the first 19 chars of g, take a look at g’s definition.

4

hex converted to ascii: xBspsiONMSNXeVuiomF, so this would be the passphrase.

5

it told me how to decrypt the message. just caesar cipher, “++” replaced to “ “ and “//“ replaced to “.”

the key which is displayed above each message?

6

I guessed it would take the right half of each symbol, so first one is 12, second one is 35 and the third one is 99

but it does not look right, the third one is 125, shifted by 99 would not make any sense. =(

write a python script to brute force key.(from 1 to 99)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
message = "|38||17||33||31||++||20||17||30||17||//||++||13||18||32||17||30||++||13||++||24||27||26||19||++||32||21||25||17||++||27||18| |++||32||20||21||26||23||21||26||19||++||21||++||20||13||34||17||++||16||17||15||21||16||17||16||++||32||27||++||30||17||32| |21||30||17||++||18||30||27||25||++||28||30||27||22||17||15||32||++||30||27||32||13||32||21||26||19||++||18||27||30||32||30| |17||31||31||//||++||20||27||35||17||34||17||30||++||21||++||16||27||++||26||27||32||++||35||13||26||32||++||32||27||++||23| |21||24||24||++||32||20||17||++||28||30||27||22||17||15||32||++||35||21||32||20||++||25||37||++||30||17||32||21||30||17||25| |17||26||32||++||31||27||++||21||++||13||25||++||28||30||17||31||17||26||32||21||26||19||++||37||27||33||++||13||24||24||++| |13||++||15||20||13||24||24||17||26||19||17||//||++||21||++||20||13||34||17||++||31||17||32||++||33||28||++||13||++||28||33| |38||38||24||17||++||27||26||++||32||20||17||++||31||17||30||34||17||30||++||21||18||++||37||27||33||++||15||13||26||++||19| |17||32||++||28||13||31||32||++||13||24||24||++||28||33||38||38||24||17||31||++||32||20||17||++||31||17||30||34||17||30||++| |21||31||++||37||27||33||30||31||//||++||14||37||++||32||20||17||++||35||13||37||++||21||++||20||13||34||17||++||30||17||25| |27||34||17||16||++||17||34||17||30||37||14||27||16||21||17||31||++||24||27||19||21||26||31||++||18||30||27||25||++||32||20| |17||++||31||17||30||34||17||30||++||17||36||28||17||15||32||++||25||21||26||17||++||31||27||++||32||20||21||31||++||35||27| |26||32||++||14||17||++||17||13||31||37||//||++||32||13||23||17||++||32||20||21||31||++||21||32||++||25||21||19||20||32||++| |14||17||++||33||31||17||18||33||24||++||17||16||34||29||37||20||35||25||18||34||29||30||16||33||15||29||22||14||38||33||25| |37||31||30||35||16||19||25||18||16||20||32||//||++||19||27||27||16||++||24||33||15||23||//|"

message = message.replace("||", "| |")

tmp = message.split(" ")

for i in range(0, 99):
print("testing key: ", i)
for j in tmp:
j = j.replace("|", "")
if j == "++":
print(" ", end="")
elif j == "//":
print(",", end="")
else:
print(chr(int(j)+i), end="")
print("")

PS: the key to last message should be negative

decrypted message:

1
2
3
4
5
6
7
8
9
testing key:  84
zeus here, after a long time of thinking i have decided to retire from project rotating fortress, however i do not want to kill the project with my retirement so i am presenting you all a challenge, i have set up a puzzle on the server
if you can get past all puzzles the server is yours, by the way i have removed everybodies logins from the server expect mine so this wont be easy, take this it might be useful edvqyhwmfvqrducqjbzumysrwdgmfdht, good luck,

testing key: 61
we will be restricting access to the server until further notice for an event, anthena,

testing key: -3
zeus has asked me to make an encoder for our updates, this is me testing it out, if it works i will be sending it to the rest of you as well as a decoder, tir,

all seems to be useful I got is “edvqyhwmfvqrducqjbzumysrwdgmfdht”, but I don’t know where it can be used.

go and check

7

after some tries I gave up here.

but I found something more interesting here:

8

why is a gif so big? there must be something hiding.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali:~# wget http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/resources/Harpocrates.gif
--2019-06-11 12:44:37-- http://192.168.227.168/LELv3FfpLrbX1S4Q2FHA1hRtIoQa38xF8dzc8O9z/resources/Harpocrates.gif
Connecting to 192.168.227.168:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 133600755 (127M) [image/gif]
Saving to: ‘Harpocrates.gif’

Harpocrates.gif 100%[=============================================>] 127.41M 71.0MB/s in 1.8s

2019-06-11 12:44:39 (71.0 MB/s) - ‘Harpocrates.gif’ saved [133600755/133600755]

root@kali:~# binwalk Harpocrates.gif

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 GIF image data, version "89a", 1920 x 1080
1008078 0xF61CE MySQL ISAM compressed data file Version 6
20417899 0x1378D6B lrzip compressed data
21187821 0x1434CED Uncompressed Adobe Flash SWF file, Version 73, File size (header included) 41062889
45154245 0x2B0FFC5 rzip compressed data - version 6.44 (1661414231 bytes)
46030469 0x2BE5E85 Cisco IOS experimental microcode, for ""
46500394 0x2C58A2A Cisco IOS experimental microcode, for ""
59254280 0x3882608 MySQL MISAM compressed data file Version 8
115340523 0x6DFF4EB MySQL ISAM compressed data file Version 6

bin -e is not working to extract out hide file, but there is something interesting at the back of the file content.

9

the same encrypted message, and that seems to be a link. use python to bruteforce.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import requests

message = "|117||107||126||104||109||108||105||117||123||114||125||117||122||117||105||112||114||104||123||104||121||108||108||118||122||126||107||114||108||123||103||121|"

message = message.replace("||", "| |")

tmp = message.split(" ")

for i in range(-70, -1):
print("testing key: ", i)
url = "http://192.168.227.168/"
for j in tmp:
j = j.replace("|", "")
if j == "++":
print(" ", end="")
elif j == "//":
print(",", end="")
else:
url += chr(int(j)+i)
# print(chr(int(j)+i), end="")
r = requests.get(url)
if r.status_code != 404:
print(url)



PS D:\Practice\python\test> py -3 "d:\Practice\python\test\test.py"
testing key: -70
.
.
.
testing key: -54
http://192.168.227.168/?5H2763?E<G?D?3:<2E2C66@DH5<6E1C
testing key: -53
.
.
.
testing key: -6
testing key: -5
http://192.168.227.168/pfychgdpvmxpupdkmcvctggquyfmgvbt
testing key: -4
testing key: -3
testing key: -2

http://192.168.227.168/pfychgdpvmxpupdkmcvctggquyfmgvbt here it is.

10

the same trick to bypass last Janus was not working here. try another code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
root@kali:~# curl -b "pass=edvqyhwmfvqrducqjbzumysrwdgmfdht" -i http://192.168.227.168/pfychgdpvmxpupdkmcvctggquyfmgvbt/Janus.php
HTTP/1.1 200 OK
Date: Tue, 11 Jun 2019 17:10:40 GMT
Server: Apache/2.4.25 (Debian)
Set-Cookie: pass=0
Vary: Accept-Encoding
Content-Length: 205
Content-Type: text/html; charset=UTF-8

<html>
<title>
Janus
</title>
<body>
You have come far but your journey is not over yet.
./Papa_Legba will guide you, good luck.
Flag: decoded and ready to roll out, Flag 4{d#B=TVf5}
</body>
</html>
root@kali:~# curl -b "pass=edvqyhwmfvqrducqjbzumysrwdgmfdht" -i http://192.168.227.168/pfychgdpvmxpupdkmcvctggquyfmgvbt/Papa_Legba/
HTTP/1.1 200 OK
Date: Tue, 11 Jun 2019 17:10:43 GMT
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Length: 784
Content-Type: text/html; charset=UTF-8

<!-- n.t.s length is 9 -->
<!-- Loki here if you're reading this come to /pfychgdpvmxpupdkmcvctggquyfmgvbt/chat.php -->
<style>

.bg{
background: url("/pfychgdpvmxpupdkmcvctggquyfmgvbt/images/papa_legba_back.png");
min-height: 100%;
min-width: 100%;
background-position: center;
position: absolute;
background-repeat: no-repeat;
top: 0;
left: 0;
}
</style>
<html>
<title>
Papa Legba
</title>
<div class="bg">
<body>

<div style="color: white; text-align: center; width: 50%; top: 50%; left: 25%; position: absolute;">

<form action="index.php" method="post">
Password: <input type="password" name="password"> <br>
<input type="button" value="Download" onclick="window.location.href='papa_legba.zip'" /><input type="submit">
</form>

<br><br><br>
</div>
</body>
</div>
</html>

found this: http://192.168.227.168/pfychgdpvmxpupdkmcvctggquyfmgvbt/chat.php

.

.

.

.

.

.

I gave up on this challenge, I may come back in the future, but absolute NO for now.