By Archit VatsOn

Looking Glass - TryHackMe

This room is quite challenging as it begins by providing you a huge amoun to f ports that you might have never encountered before. Also this room has a bunch of privilege escalation as you’ll be performing horizontal escalation a few times. Stick with this writeup and try to use it to check if you’re moving in the right direction. If you’re steps seem right then try some more else I’m always here to help you all. Before we begin I just want to give you a hint that the poetry in this challenge might not be as useful as you might think it to be. Now without further ado lets begin this room.

 

Reconnaissance

 In terms of this step make a note of the target’ IP address while also your own IP address. Its considered a good practice to save all of this in a text file that you can later use to dump all the additional information into for reference. Since its a continuation of wonderland challenge room you can expect to be treated with lots of usernames.

Scanning

 As usual we’ll go with a nmap scan of the IP address to reveal the ports and services. Do not worry about being loud here and go ahead with an aggressive scan.
Output of Nmap Scan

Command usage:

-n – Disabling DNS lookup for the provided IP address

-Pn – Treating the host as alive

-T5 – Increasing the scan speed to a maximum

-A – This is used as a combination of script scanning, OS fingerprinting and version detection.

 

The output of this step might feel bonkers at first due to the sheer amount of data that you’ve received just now but bear with me as we’re gonna sort it out soon.

Enumeration

Banner Grabbing SSH Port

The next step is banner grabbing the SSH port. Which ssh port you might say, try any one of them. But the normal ssh command will throw an error on your face stating that no matching host key type found.
 
Random Info: It took me 30 mins to figure out that banner grabbing is the way forward, so don’t worry if you’re stuck on this for a long time.
An example of the ssh error

This error basically means that the port is expecting a key in the form of ssh-rsa while we’ve been providing it something else. So lets solve this by specifying the key type as shown in the image below.

Successful banner grabbing of ssh

Hmm…..that didn’t worked. Or did it? The only takeaway from this command’s output is “Lower”. What could this possibly mean? Try this same command with the last port. Did you get a different output? Maybe “Higher”?. This concept here is that there is a specific port that you must tune into and lower and higher are your directions to discover it (remember here that lower means going down the list of ports towards a bigger port number and higher means the exact opposite of this). Now there are two methods to do it which are as follows.

Method 1: Bruteforce

You can randomly select a port and move into the direction that it advises till you get to the required port. Ya I know what you must be thinking, I truly hate doing this manually and this could take hours. Don’t worry for I hate bruteforcing as much as you do. Onwards to a better technique.

Method 2: Python Bruteforcer

Now this sounds nice. Doesn’t it?. For this you can make a script which will try all ports and provide you the final port. I tried this with python but you are welcome to use any language that you fancy, the objective is to get this done anyhow. 

#####################################################

import subprocess

IP = “10.10.93.252” #CHANGE THIS

high = 9000 #CHANGE THIS

low = 14000 #CHANGE THIS

# If the program is stuck on a port for some time then that could be the required port. Press Ctrl + C to end the program.

 

while (1>0):

checkport = int((high+low)/2)

print(“Checking port: “, checkport)

result = subprocess.run([“ssh”, IP, “-o”, “HostKeyAlgorithms=ssh-rsa”, “-o”, “StrictHostKeyChecking=no”, “-p”, str(checkport)], stdout=subprocess.PIPE, text=True)

print(“\n”)

if(result.stdout.strip() == “Higher”):

low = checkport

elif(result.stdout.strip() == “Lower”):

high = checkport

else:

break

 

print(“The port that you’re looking for is: “, checkport)

#####################################################

Cipher Breaking

Finding the right port will provide you a cipher with an enter secret prompt below it. To break this cipher head on to this site and paste the cipher in it. Press crack and you’re done. Enter the secret into the prompt and this give you a colon separated string. If you haven’t recognized this yet then make a note to self that separating strings with a colon can be the sign of a username and password combination. Use this to log into the machine as shown below.
Getting into the jabberwock account of looking glass

User Flag

This is where you’ll find the user’s flag (in user.txt) albeit in a reversed form. Use any online text reverser and you’ve successfully obtained the flag

 

Privilege Escalation (Jabberwock To Tweedledum)

Roaming around this system I came across two very interesting pieces of information.
1. Jabberwock is allowed to run /sbin/reboot as root. Found this with sudo -l command on terminal.
2. Tweedledum will run twasBrilling.sh file upon a reboot. Found this with cat /etc/crontab command on terminal.

 

So if I can plant a reverse shell in twasBrilling.sh and reboot the system then tweedledum will run it.

 

Reverse Shell

I obtained the bash reverse shell from pentestmonkey and modified it with my IP address. Then I placed that code inside twasBrilling.sh. The next step is to create a listener to obtain the shell which can be done in two ways.

 

Method 1: Netcat 

We can create a simple listener with netcat and get our connection to it. Just execute the command for it and reboot the looking glass machine with the command: sudo reboot.
Netcat Listener

Method 2: Metasploit

Another method is to use metasploit to achieve the same. The configuration for this would be.
Exploit: /multi/handler
Payload: /linux/x64/shell/reverse_tcp
RHOSTS: Your IP address
RPORT: The port that you specified in the reverse shell

Run this configuration and your listener is ready to receive a connection. Following this just go back to your looking glass machine and execute the following command: sudo reboot.

The advantage of this method over netcat is that this shell can be upgraded to meterpreter which will provide you with additional functionality.

 

Upgrading Shell to Meterpreter
This can be done by putting the current session to background be either pressing Ctrl+Z or executing background command. The next thing that you’ll need is the id of this session which can be listed with the sessions command. To upgrade this we’ll execute sessions -u <session_ID>. And voila you’ve upgraded your shell. To switch to this meterpreter shell, identify its ID and execute sessions -i <session_ID>. This process is also shown in the image below. 
Upgrading shell to meterpreter

Privilege Escalation (Tweedledum to Tweedledee)

Cracking the Password

Here you’ll find a file called humptydumpty.txt which contains several hashed strings. Copy them all and place them in crackstation. The output would be as shown below.
Output of Crackstation

Now you’ll be sure that the last message is definitely the password and you just need to identify its hashing technique to reveal its plaintext. In order to obtain the plaintext you can paste this into cyberchef and apply the magic function upon it which will identify the hashing technique and provide you the password.

Obtaining Password with CyberChef

However this password won’t be used here and you’ll have to wait for sometime to use this awesome discovery of yours.

 

Allowed Commands

Take a look at the commands that you’re allowed to execute with the following command: sudo -l. You’ll be treated with an image as shown below.
Allowed Commands for Tweedledum

Now this shows that tweedledee is allowed to execute /bin/bash without the usage of a password. This makes it super simple as we can now directly switch to this user with the help of the following command: sudo -u tweedledee /bin/bash.

 

Privilege Escalation (Tweedledee to Humptydumpty)

This is the moment that you’ve been waiting for. No I’m not talking about the root flag but rather the password that you’ve obtained. Simply switch into the account of humptydumpty with the following command and provide it with the password: su humptydumpty

Privilege Escalation (Humptydumpty To Alice)

Now this is a trick one and it should be as alice is the last account that you need to traverse into before you can acquire the root account. 

Hint: If you aren’t able to see something, does it mean that its not there?
Hint: I’ll say no
Hint: Wait, which account am I trying to get into.
Last Hint: You can directly ssh into Alice’s account.

If my failed attempt at giving you hints has left you more confused then allow me to provide you the direct solution for this. Copy the private key of Alice which is located at /home/Alice/.ssh/id_rsa and change its permission to 600. This will allow you to ssh into the account as shown in the image below

Running a sudo -l here will treat you with an error message which will say that humptydumpty may not run sudo on looking-glass. This happens when a user is not included in the sudoers directory, so lets take a look at it. 

Changing permission of id_rsa & getting in

Privilege Escalation (Alice to Root)

I know you must be tired with all this privilege escalation but you gotta keep going as this is the last one. Try to get a list of the allowed commands for this account with sudo -l. Wait what, this command doesn’t need a password right? Something’s off. The output of this command comes from the sudoers directory so lets check it out directly. 

Sudoers file of Alice

Wait, why is Alice’s file readable by others while every other file is not. Lets take a look at it. Ok now what is all this. Does it mean that alice is allowed to run /bin/bash as root. Can’t be that simple, can it? And what does ssalg-gnikool mean. Oh wait a second, its reversed. Its looking-glass same as how the user’s flag was reversed. 

 

What this all basically means is that alice is allowed to run /bin/bash as root but when a particular host is specified with it which is ssalg-gnikool. So lets just move on with this and get the root account. The command for this is: sudo -h ssalg-gnikool /bin/bash.

All's Well That Ends Well

Congratulations you’ve successfully pwned this machine. Give yourself a pat on the back cause you’ve rightly deserved it.