Posts Tryhackme - The Server From Hell
Post
Cancel

Tryhackme - The Server From Hell

Posted Dec 4, 2020 2020-12-04T03:00:00+08:00 by Ara-kun

The Server from Hell is a medium level room in Tryhackme. The final objective is to get the user and root flag.


cover_image

AuthorDeadPackets
DescriptionFace a server that feels as if it was configured and deployed by Satan himself. Can you escalate to root?

Deploy the VM and lets go.

Enumeration

description
Let’s start with the port 1337. I used netcat to get the banner.
netcat_1337
I did a nmap scan for the ports 0-100 with the banner script but the results didn’t make any sense. So, I ran netcat to grab all the banners. 

for i in {0..100};do nc ip-addr $i; echo ; done


And I found this..
image_ports

I grabbed the banner for the port 12345.
nfs_share

Flag

Enumerate the nfs share with showmount. 

showmount -e ip-addr


nfs_share

I created a temporary directory to mount the nfs share in my local machine. 

sudo mount -t nfs ip-addr:/home/nfs ./tmp


There is a zip file named backup.zip inside the mounted nfs share.

I used fcrackzip to crack the password. 

fcrackzip -v -D -u backup.zip -p path-to-wordlist


zip_crack

Unzip the zip file. The inflated directory contains the answer to the first question. I also took note of the username hades.
inflated_list

The hint.txt file shows a range. So, I tried doing a nmap scan for the given range. 

nmap -sV --script=banner ip-addr -p2500-4000


On a whim, I searched for OpenSSH and it was actually there. Luckyy!
nmap_scan

User flag

We have the private key and the ssh port. Without further ado, let’s login to ssh. Ahh…Don’t forget to change the permission to 600 for the private key.
ssh_login
ssh_noshell

After logging in, it throws error for every command. From the error message I found that it is running irb.

From gtfobins I found a way to get a shell.
gtfobins_1

user_flag

Way to go!! We got the user flag.

Root flag

As a primary enumeration for priviledge escalation I used Linpeas. After a quick go through of the results I found tar with user capabilities.
user_cap

From gtfobins I found this.
gtfobins_2
We can use this to get the root flag directly.
root_flag

But, it is no fun getting only the flag. Let’s also root the box.

I dumped the /etc/shadow file which contains all the passwords in encypted form.
etc_shadow

Copy the contents of the root hash to a seperate file and crack it using john.
crack_pass
We got the root password.
root_shell

Viola!! We cleared the room.

That’s it folks. Happy hacking!!!

Tryhackme, Medium
thm linux medium nfs gtfobins
This post is licensed under CC BY 4.0 by the author.
Contents

Tryhackme - Retro

Tryhackme - Gotta Catch'em All!