B3dr0ck-Tryhackme
Hi! Yesterday I finally jumped back to work on boxes on tryhackme.com and decided to start with an easy box. It was quite an interesting box focused around Certificates and Encryption. That’s enough rambling, let’s get right into it!!
Enumeration
Starting with my go to nmap scan:
nmap -v -sC -sV -p- -oN scan.txt 10.10.235.14
The ports that were found were:
80/tcp
22/tcp
4040/tcp
9009/tcp
54321/tcp
Website
Navigating to the website on port 80 we see:
I just go ahead and accept the risk. After accepting the risk, the page gets redirected to port 4040, which shows:
Taking a look at the source, there does not seem to be much else on the page apart from what is seen above. But there is some information that could come in handy as we go through the box. Over 9000 stands out and secure connections with certificates also stands out to me. So I go ahead and take a look at the port above 9000, which is 9009/tcp .
My first instinct was to connect using netcat which worked perfectly!
After connecting to this port one can now get the client certificate and private key that could possibly help use get access to the system in way. First instinct was to search up how these combination of details can be used via the openssl tool as it was one of the things that fit the description that we saw on the website secure connections with certificates.
So I searched google and came across this s_client feature/tool/command(don’t really know how else to call it) that I believe ships with the openssl tool and allows for connection to a remote host using ssl/tls, and is often used for diagnostics. At this point, I tried to connect to the 54321 port which had ssl/unknown listed as the service it was running.
After taking time to look through the various flags for the s_client command, I finally used the command:
openssl s_client -connect 10.10.226.167:54321 -cert certificate -key private
Which allowed me to connect and also get information about the user ‘Barney Rubble’.
Well we got a user and the first flag!! Note: don’t be like me and try to crack the hint 🥲
Vertical Movement & Privesc
On the box there is another user Fred keeping with the Flintstones theme. The next step is to gain access to that users account.
Like I love to do the first check I ran was sudo -l to check if I have sudorights to run any of the utilities on the box. Well keeping with the certificate theme, the barney user has the ability to run thecertutil` command with sudo rights.
Looking at what we can do with that access, one thing that stands out a lot is the fact we are able to create new key pairs for other users, meaning we can create one for the Fred`` user. Below I have created a new key pair for the user and should theoretically be able to user those details to connect via openssl s_client` command and collect more info about the user.
Annnnnnnd……………. We are in!! Like the previous time the hint is the password😁😁
We can not get the flag for fred :
Alrighttt!! time for Privesc 🙂
Privilege Escalation (i think😮💨)
Like before I run sudo -l to see if the user has any root perms. The results
Seems like we can only collect the password in a hashed form. The command I use here is:
bash sudo /usr/bin/base64 /root/pass.txt | base64 -d
That did not decode to anything really useful, as I still could not change to the root user, so I checked the hint on this one, it said:
[root pass] Multi encode/decode (+ crackstation ;)
What I then did was utilize the magic feature on Cyberchef which gave me another hash (MD5) , which I then tried on Crackstation.
Well, now we have gotten the password to the root account on the box and can now change to that user and get the final flag!
Well that’s the box completed! Thanks for reading! Hopefully this was helpful to you😃
Till Another Time!!
