The name of this challenge made me curious and was one of the challenges from TryHackMe where I solved the questions in a quite different order than they were listed. However, I am sure that there are also other ways to reach the answers required.
Let’s begin and see what do we have there!
First of all, I started with a scan because I wanted to see what ports are opened and what services are running on the server.
nmap -sV 10.10.116.67
What caught my attention were the first 3 common ports, for ftp, ssh and http, so I decided to check the website and see what we have there.
I found a web page with a login form, requiring username and password. After checking the source code of the page, I didn’t find anything relevant.
I attempted to login using some simple credentials, like admin:admin or charlie:admin but I didn’t succeed. So I decided to test if there is any possibility to apply SQL injection. For this, I used sqlmap but the results showed me that this was not an option.
sqlmap -u http://10.10.116.67/index.html --forms --schema
For the moment, I decided to leave this and to move to the other services available. Due to the fact that the ftp service was running and the port was opened, I attempted to connect to the server with the anonymous login. And I was able to access it!
As you can see from the above screenshot, there’s only a picture, gum_room.jpg, apparently not too much. However, there’s always a possibility to have something hidden inside so I had to give a shot. And I got some results, there was a hidden file inside it.
Using a blank password, a hidden file was revealed, b64.txt, and my first hunch was that, as it was written in its name, it was a base64 encoded content. After I opened the file and looked at the content, I was convinced that I was right. In order to decode the content, I used a personal python script but you can use any online decoders (the internet is full of this kind of tools) and get the initial text.
The result we got seems to be the content of an /etc/shadow file. Also, we found out that there is an user named charlie.
2. What is Charlie’s password?
There is a hash for the password, which I tried to crack using John The Ripper and rockyou.txt file. After a while, I got the result and found out what was the password for user charlie. I also tested if I could login via ssh using those credentials but it didn’t allow me. However, this is the answer for the second question.
But, let’s remember that at the beginning, we had a login form on the web. Maybe these credentials work there. After testing them, I was able to login on that page.
The page source didn’t provide any useful information for me. However, there was something interesting over there. Even though we have only a text field, this one might be very relevant for us since we could be able to execute commands on the server. I typed a simple ls command and I got some results! I could run commands and I was going to exploit this (please ignore the fact that there is a different IP in the below screenshot compared with the previous ones, the machine expired while I was writing this walkthrough and I had to start it again).
We see that there are several files, among which is also the current page (home.php) but also another interesting thing, called key_rev_key. After running another command to see what type of file it is (file key_rev_key), I saw that it’s an executable. I downloaded it locally from the browser, by replacing “home.php” with “key_rev_key” in the URL and then I started to analyze it using radare2. I was pretty sure that I will find the answer for the first question here.
1. Enter the key you found!
After checking the code, I saw the hardcoded user and the code that will be revealed after introducing the correct user. Don’t run any unknown executables on your computer in real life, or maybe do it in a virtual machine. However, this one was not dangerous. When you run the file, it asks for a name and when the correct one is introduced, it reveals the key needed for this question.
3. Change user to charlie
Well, so far, we still didn’t have access on the server. Remember, the password didn’t work. So, on the web page where we logged in previously, I tried to list the files in the .ssh directory. I checked for files in /home/charlie/.ssh and I found this:
I read the content of the private one and saved it locally, changed the permissions to 600, then I tried to login again via ssh, this time successfully!
4. Enter the user flag
As usual, the user.txt flag file could be found in the home directory of the user. After logging in, just went there and read the file.
5. Enter the root flag
Well, initially, I went on a path that seemed logic for privilege escalation. After verifying the groups that user charlie is part of, I found that it is a member of lxd , so I decided to try to exploit that. However, it didn’t work, I don’t know why, so I had to change my approach. The search of SUID and GUID files didn’t show me any possible files that I could exploit, at least at a first glance and at my level of knowledge. Then, I realized that I missed something, maybe even the first step in the checks for privilege escalation. Even though I didn’t have the password for charlie, I ran sudo -l to check what commands I can run as root. Seeing that I can execute vi, I knew that I can exploit that but I double checked on GTFOBINS to be sure and also to get the payload for that. Running
sudo vi -c ':!/bin/sh' /dev/null granted me a root shell. Nothing left than to reveal the context of root.txt file in /root. Well, I had a surprise here. I didn’t find any text files, only a python script. Taking into consideration the hint provided, I executed the script using python2 and it asked for a key. At the beginning, I didn’t know where to get that key from, but after, I remembered that we found a key for a previous question. I used that and I got the root flag.
That’s all, I hope you found this walkthrough useful!