[Linux] b3dr0ck

This page aims to provide a clear and comprehensive write-up for the b3dr0ck room on TryHackMe. I used Kali Linux to conduct the penetration test.

Reconnaissance

We start by scanning the network with nmap:

sudo nmap 10.10.173.171

Enumeration

HTPP

Our initial enumeration begins with the HTTP service. When accessing the URL http://10.10.173.171, we are redirected to port 4040. The web page hints at a service running on a port above 9000, which might help us proceed. Let's examine the pichat service discovered during our scan.

pichat

The room introduction suggests that a socket listener might be active on port 9009, corresponding to the pichat service.

We can connect to it using socat:

socat TCP:10.10.173.171:9009 -

Upon connecting, we get a prompt. A useful first command in these situations is help, which reveals details on how to connect to the service using a certificate and key file.

We'll need to retrieve these files by communicating with the pichat service.

Hidden service - port 54321

We access the hidden service using the credentials we obtained, which belong to Barney Rubble. We also found a hint about his password. To connect securely, we use:

socat stdio SSL:10.10.173.171:54321,cert=barney_cert.crt,key=barney_key.key,verify=0

Initial access

We can now try Barney’s password on the SSH service to gain access to the machine. It works, granting us initial access and our first flag.

Lateralisation

We discover that the certutil command can be run with sudo privileges. This command allows us to list and generate certificates on the server, which we can leverage to gain additional information.

To abuse this, we:

List all certificates.
Regenerate certificates as needed for further access.
Use the certificates to query more data from the pichat service.

sudo /usr/bin/certutil ls

In addition to Barney, we find a certificate for Fred. To regenerate Fred’s certificate, we need his full name, which we find in the /etc/passwd file:

cat /etc/passwd

sudo /usr/bin/certutil fred "Fred Flintstone"

We save Fred’s certificate and key locally and connect to the pichat service again to retrieve his password:

socat stdio ssl:10.10.173.171:54321,cert=cert2,key=key2,verify=0

Using Fred's password, we gain further access to the target machine.

Escalation

Admin gave us th possibility to run some commands as sudo. With these commands, we manage to find the content of /root/paas.txt.

We get something which looks like a digest. Using an online hash-cracking service like Crackstation, we identify the root password and proceed to log in as root to obtain the root flag.

Remediation

Implement a strong authentication mechanism for the pichat service.
Limit unnecessary information in /etc/passwd.
Disable SSH password-based login.
Regularly review and control sudo privileges.

Previous[Linux] U.A.HighSchool Next[Linux] Kenobi

Last updated 8 months ago