TryHackMe: Aratus

Walkthrough

Hola folks!! Today we are rooting Aratus from TryHackMe, rated as a Medium machine. So let’s root.

cover.png

Initials

I used to save the IP address for better automation :)

export IP=10.10.114.209

Port Scanning

We’ll start with rustscan (for getting open ports)

rustscan -a $IP --ulimit 5000

We found port 21,22,80,139,143,443,445 to be open. Let’s get more details

nmap -sC -sV -p22,21,80,143,139,443,445 -oN nmap -pN $IP

The scan results were very long.

nmap1.png

nmap2.png

Enumeration

Directory

For directory enumeration, I would like to use freroxbuster

feroxbuster -u http://$IP/ -w /opt/medium.txt -o feroscan

But found nothing.

FTP

For FTP enumeration, we found that anonymous login was allowed

ftp $IP 

FTP.png

And we found nothing again. It was just a Rabbit Hole.

SMB

Now time for enumerating SMB, at first I always try to do manual stuff

smbclient -L //$IP -N

SMB_enum.png

checking the temporary share disk

smbclient //$IP/"temporary share"

or

smbclient //$IP/temporary\ share

both commands will work.

SMB_files.png

I found one message file. let’s get that file.

get message-to-simeon.txt

message-to-Simeon.txt.png

After reading the file, I found that:

• He has some blog or whatever it hosted (I was in doubt)
• His password is somewhere in his blog.

HTTP

At that time, I forgot that we have HTTP running too XD. Since feroxbuster didn’t find any directory, I kinda ignored it.

Let’s visit the HTTP web server. So HTTP and HTTPS were running. Both seem the same I guess

default_page.png

Out of curiosity, I visited and found this: http://10.10.114.209/simeon

http://10.10.114.209/simeon.png

SSH

Since we know that his password is somewhere in this article. I googled for making wordlist from the website and found one command i.e.

cewl http://10.10.114.209/simeon > wordlist

This command will return the words which can be used as password

Now that we got the username and password list. What we are waiting for XD

hydra -l simeon -P wordlist ssh://$IP -v

ssh_password_cracked.png

user Simeon.png

Now my fav part, i.e.

Escalations

User Escalation

The user Simon does not have permission to read the user.txt

After some time enumerating the user, I found one hash file of user theodore

rabbit_hole_hash.png

cracked the hash, found that it was another Rabbit Hole XD

After further enumeration, I found that there is one service running by root

service.png

Now let’s intercept the traffic via tcpdump (the most interesting part is that I just learnt about tcpdump on TryHackMe: Protocols and Servers 2):

tcpdump -i lo -A

and we found got another hash.

hash2.png

After decoding it, we found another credential of user theodore

credentials.png

And this worked.

user changed.png

After getting the shell, the first command I run is sudo -l

sudo -l

Seems like user theodore can run one script as user automation without a password.

let’s check the script

script.png

So this script is running another script, so let’s check another script since we don’t have write permission on this script.

So some YAML files are executed. While checking each YAML file, I found one file was doing some tasks

checking this task folder:

task

Here we finally found one file with write permission.

let’s create our reverse shell payload

reverse shell.png

now changing the file to trigger the payload:

add this command to trigger our reverse shell payload

ROOT

Run the script:

sudo -u automation /opt/script/infra_as_code.sh

payload triggered

root shell

Now we the root shell & with this, we have pwned Aratus. Meet you in the next blog (:

Formality

user.txt

root.txt

|| Room | Twitter ||