[EN] TryHackMe — Mindgames Write-Up
Hello everyone, it’s Anil Celik, a.k.a. 0xpr0N3rd on TryHackMe. In this write-up, I would like to share the walkthrough of the room named Mindgames on TryHackme, which was released a couple of days ago.
Okay, so let’s start with our nmap scan:
Alright, so nmap shows that we have two ports open. Since the SSH version is not vulnerable to anything, let’s continue with enumerating HTTP:
When we go and open up the port 80, we are being welcomed by a page like this. Now the exact moment I saw this page, I knew that it was something related with Brainfuck. Because, I saw this kind of a thing once more in a THM room and believe me, it’s not easy to forget this kind of a thing. By the way, you can reach to the room that I mentioned from here: THM - Year of the Rabbit and my related write-up with that room is on here: THM - Year of the Rabbit - Write-Up. Alright, let’s cut the foreplay and get down to business. At first, you can either try to convert these scripts from the link that I provided above (which I went like that) or you can directly try to execute this codes from the box given in below of the page.
Maybe we can check the source code first:
Well, there’s nothing much in here but we can see the evil lie that James told us about this box. He clearly enjoyed while preparing this one.
Let’s continue with trying to execute these codes in the text box, shall we?
Well, the code given below Hello, world thing really did the job that it says, it prints the message: Hello, world. Let’s try to execute the other thing that is below in Fibonacci:
Hmm, seems like this one’s also doing the thing that it says. Seems to me, this is the first 10 sequence of the Fibonacci Series. Now that we executed what we have in our hands, let’s try to find out what these codes really mean in a human readable form:
Well, the first one is just a print function in Python that prints Hello, World.
But the second one has a function definition and a for loop. This is the algorithm of Fibonacci series. In for loop, from starting 1, the loop sends the each value of “i” to the function in above until i is equal to 10. If you still not able to figure out the algorithm, then I suggest you to look on here.
Let’s continue. Now, we know that these brainfuck encoded code snippets are encoded from Python. Maybe we can do something with reversing the order; I mean we can write something in Python and try to encode it with brainfuck and try to execute it on the page. But first, we forgot to do another thing; directory brute-forcing!
Well, I guess we shouldn’t have got excited this much. (Btw, I also used another wordlists to be sure on covering all the bases.)
Okay, let’s try to do the thing that I mentioned previously. Let’s go brutal and directly try to get a reverse shell:
First, I generated my Python Reverse Shell payload with the tool that I recently developed to make my job easier on CTFs. You can find it on here (with all do respect to those Bash gurus out there; I learnt Bash Programming in 1 day and challenged myself to develop a simple tool, so, here it is.)
Anyways, let’s try to encode this thing from here:
Alright, let’s try to execute this one:
Well, it doesn’t like it. I guess we can remove some details from this code and try to execute it again:
Let’s try again:
Ah, the moment when you get a shell.. (especially the root one ❤). Since we got our shell, we can continue with enumerating:
In the directory that we got our shell from, there is a file named server that looks interesting. It might be something useful in the end (no it’s not, just a little rabbit hole in capabilities that James kindly prepared for us).
Okay, let’s go to home directory of our current user so that maybe we can get the user flag:
Yay! We got the user!! Now, I checked sudo privileges of this mindgames user but forgot to take a screenshot for it; but there was nothing we could do, so no worries. From now on, we can either do some manual enumeration for root part but you know, since time is money I will go with linPEAS:
With this, we can pipe our linPEAS result to output.txt. You can ignore the grep: write error: Broken pipe thing, it’s just the thing that happens when linPEAS can’t go any further from Looking for specific hashes … thing. Ok, so let’s have look on our result:
Man, there are really a lot of SUID binaries. But, we don’t have to do anything with them; the thing we are looking for is in Capabilities, which you can see on my previous write-up: THM - Wonderland Write-Up. This Wonderland room is also made by James by the way.
When we check out the Capabilities section, we see some interesting binaries. From here, you can either go for a small rabbit hole just like I did at first by going for the “/home/mindgames/webserver/server = cap_net_bind_service+ep” thing (remember?), or you can go with “/usr/bin/openssl = cap_setuid+ep” thing, which would lead us while getting a root shell.
Now, as a classic move, you can directly go on GTFOBins and look for something related with openssl, even though that’s somehow correct, this would not lead us to a 100% correct solution.
The point I really thought that the room actually deserves its name comes in this part. The code for exploiting this binary found in a PULL REQUEST made on GTFOBins’ this openssl section:
Now this code can help us but how? What’s the meaning of a OpenSSL Engine? Well, simply, the OpenSSL Engine has the built-in OpenSSL functions and this will help us on triggering our shell spawn. It is widely used for cryptographic functions of OpenSSL Engine.
Now, all we have to do is adding a small piece of code in the code above:
We’ve added the setuid(0); line to set our current User ID as same to root User ID, which is 0. The reason why we are doing is as follows: The capability that we have our hands right now lets us to change our User ID, and with this exploit code, we are spawning a new shell with changed User ID, which is root in this case. You can see the information in below:
Now, let’s compile our code. Not that we are going to try to compile an engine code, we need additional some parameters along with the traditional C code compilation in Linux (gcc):
In here, -fPIC parameter lets us to generate our input file “a.o”, which we will be giving for our crypto parameter, -lcrypto. Now since the “engine.so” code is generated, let’s upload it on the box and get our shell:
We got our root shell and grabbed the root flag.
That was all I wanted to share with you guys about this box. Thanks to James for creating this box and thanks to you for reading this write-up.
See you on the next one!
Resources:
