Room: Advent of Cyber
Difficulty: Beginner
“Elf Holly is suspicious of Elf-Ministrator and wants to get onto the root account of a server he setup to see what files are on his account. The problem is, Holly is a low-privileged user. Can you escalate her privileges and hack your way into the root account?
Deploy and SSH into the machine.
Username: holly
Password: tuD@4vt0G*TU
SSH is not running on the standard port. You might need to nmap scan the machine to find which port SSH is running on.”
For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.
Question #1: What port is SSH running on?
The first step is to use your attacking machine (OpenVPN or Kali) to run nmap against the target VM. -p- directs nmap to scan all ports (since SSH is not on the usual port, which is 22). -sV identifies the service/version on any open ports.
nmap -p- -sV<targetmachine>
So this scan took quite a long time because it was very thorough. While waiting for it to complete however, I noticed that the answer to the question is actually in the available hint. The challenge is to figure out how to connect to it via SSH.
So I left the scan running and just connected as normal, but specified the port at the end with -p
ssh holly@<targetmachine> -p 65534
Then enter the password provided:
Question #2: Find and run a file as Igor. Read the file /home/igor/flag1.txt
This question is strongly hinting at using the find command. Igor is also italicized suspiciously. If you read the supporting material that went along with the challenge, you should have a good idea of where this is going.
To start off with, I navigated to /home/igor/flag1.txt, but did not have the ability to read the file:
Using the supporting materials as my guide, I executed the following command:
find / -user igor -perm -4000 -exec ls -ldb {} \; 2>/dev/null
This found all the binary files owned by Igor. It looks like he owns find and nmap, but we can still use them because of the SUID bit set, which is shown with an “s” among the normal permissions:
-rwsr-xr-x
This means that any user can execute these commands and they will be ran as the original owner, Igor.
Around this time, nmap finally completed:
Yep, port 65534. Thanks, nmap.
Anyways, so we still need to get “flag1.txt” open. Once again using the supporting material to guide me, I ran the following command:
find /home/igor/flag1.txt -exec cat {} \;
What this is doing is leveraging the execute function of find, to execute the cat command on “flag1.txt” as if we were Igor. It’s a way to get around the normal permissions if they are limiting you.
Question #3: Find another binary file that has the SUID bit set. Using this file, can you become the root user and read the /root/flag2.txt file?
(I took a break at this point and my first machine expired, so you will see a different IP address moving forward)
Now we need to find what we can run as root. Let’s use the same command as above, but supplement “root” for “igor”. I piped it through grep so we would only return executable files.
find / -user igor -perm -4000 -exec ls -ldb {} \; 2>/dev/null | grep “bin”
Give it about a minute or so, and eventually you will see this:
Which of these should we leverage? This would be the time consuming part; having to play around with all of the /bin files until we find one that is successful at gaining a shell.
Luckily, I have done that for you with the help of GTFObins.
However, after a few failed attempts, I realize that /usr/bin/system-control DOES kind-of standout as obvious…
Let’s run that one now:
It looks like this pretty much just handed me root access on a silver platter.
We can try to cat our file now:
cat /root/flag2.txt
Thank you for following along.
Happy Hacking! ❤
