THM: Tribute et al
Updates
I’ve just done Knife on HTB; no writeup obviously - it’s only a day old. I also finished MusicalStego which I can barely remember even starting, and then I did Tribute, which I don’t remember joining.
I’m not going to write much, just a brief mention about Tribute.
The root part takes advantage of a python script running on a one minute cron job as root. Here’s the entry from pspy:
2021/05/24 04:14:01 CMD: UID=0 PID=26303 /bin/sh -c python3 /home/meaghyn/.noises/.noises.py
Now, the content is basically this:
import socket
import sounds
print(“creak”)
Pretty basic, no? Anyway, the maker seems to have intended for you to use this to launch a reverse shell. One of the questions says:
What needs to be running to make .noises.py run without errors?
A hint given is:
nc -nvklp 1337
And the answer it wants is:
listener
I’m sorry, but that’s ridiculous. The cron job (and hence the script) already runs very happily every 60 seconds without errors; no listener required. And quite frankly we don’t need a listener to get root either. Here are two alternative methods, using sounds.py. In version 1, we add our user to the sudoers group:
And on the box:
Boom, roasted. In version 2 we use sounds.py to add root2 to /etc/passwd:
So there we go; root two ways and no listener required. There’s almost certainly an SSH method available too; write your public key to authorized_keys for root or something. When you’ve got root code execution, the world is your oyster.