cove@home:~#

Fortress Writeup Tryhackme

Fortress Writeup

Fortress is a Medium rated machine on TryHackMe that was a lot of fun and taught me a lot of new thing. There is an unintended way to get the root flag, but the intended route for the privesc is really interesting.

Setup

Two different hosts are given for this machine. fortress.htm and temple.fortress.thm. Add these to /etc/hosts alongside the IP given for the box.

Basic Enumeration:

Starting with a quick and dirty nmap scan of all ports we get:

screenshot_1

Running a more detailed nmap scan on these open port shows:

Screenshot_2

There are parts of the scan that are cut off but it doesn’t hold any useful information:

Anonymous FTP login allowed

As seen in the nmap scan we are able to log in to FTP anonymously. Connect to ftp with ftp fortress.thm 5581. Running ls -la shows that there is one txt file as well as a hidden file just called .file. Screenshot_3

Screenshot_4

Analyzing files from FTP

Looking at the text file from ftp shows:

Screenshot_5

Even though this just seems like world building this shows that there is at least a user named veekay and the likely directory for the ftp server is /home/veekay/ftp.

Looking at the second file gives something that is more interesting:

Screenshot_6

Note: I renamed it from .file to just file for simplicity.

Doing basic analysis of this file shows that it is very likely that this is the program running on port 5752.Screenshot_7

Looking around for something that can decompile python programs brought me to (https://github.com/wibiti/uncompyle2. After I installed this I ran the program against the file and got the regular .py file.

Screenshot_8

We can see that all this is doing is converting the input the user gives into a byte string and then coverts this into a long, then compares with hard coded values for both the username and password longs. Making a quick python script using the same library that is used by the inital file.

Screenshot_9

Screenshot_10

Note: must be ran with python3

Connecting and reading secret.txt

To connect to port 5752 just use netcat and enter in the credentials.

Screenshot_11

Temple of your Sins

Just going to the url normally gives a 404 error but if you place .html at the end a login portal will be shown.Screenshot_12

Viewing the page source shows how the log in portal works. Screenshot_13

What this is doing is getting the SHA1 hashes of both the username and password then if they are the same outputting the private spot. This means that it is vulnerable to SHA1 hash collision. Searching around on google lead me to a script that does this for us. (https://github.com/bl4de/ctf/blob/master/2017/BostonKeyParty_2017/Prudentialv2/Prudentialv2_Cloud_50.md

Editing this file to work better with our site.

Screenshot_14

Screenshot_15

Looking at this output we have a file named m0td_f0r_j4x0n.txt. Going to the website to look at this we get an ssh private key for a user named h4rdy.Screenshot_16

WOOOOO we got a user shell. Screenshot_17

But nothing can be done with this shell because it is using a restricted bash profile. We can bypass this by adding "bash --noprofile" to the end of the ssh connection.Screenshot_18

To upgrade the shell just run: python3 -c 'import pty;pty.spawn("/bin/bash")'

Another step to upgrade the shell is to change the PATH of the h4rdy user.

Screenshot_19

Checking for the permission h4rdy has we can see that he is able to run /bin/cat as the j4x0n user. Using this we can read j4x0n’s private ssh key to get access to his account. Screenshot_20

Screenshot_21

Now we are able to read the user flag in j4x0n’s home directory.

Root

There is an unintended way to read the root flag that is very easy to get, but I won’t show that. The way that I initially read the flag was this way but taking another look at the box lead me to finding what I think is the intended way.

Starting with looking at all files with the suid bit shows

Screenshot_22

The one that stands out here is /opt/bt. Looking at the strings of this file shows a shared library named libfoo.so. Looking closer at this with ltrace quickly shows that there is a foo function that gets called in the file that spams the terminal with nonsense as a way to obfuscate, however it means this is still vulnerabled to a shared library exploit because /usr/lib/libfoo.so is writeable.Screenshot_23

(https://blog.pentesteracademy.com/abusing-missing-library-for-privilege-escalation-3-minute-read-296dcf81bec2 is a great resouce for using this attack. Remember to rename the welcome class to foo.

Screenshot_24

Note: You may have to change the quotations to normal quotes at the /bin/bash part. Now we can host the file on a webserver and download it on the victim.

Screenshot_25

Now all we have to do is run the bt binary and we have a root shell :D.

Screenshot_26