This room is quite challenging as it begins by providing you a huge amoun to f ports that you might have never encountered before. Also this room has a bunch of privilege escalation as you’ll be performing horizontal escalation a few times. Stick with this writeup and try to use it to check if you’re moving in the right direction. If you’re steps seem right then try some more else I’m always here to help you all. Before we begin I just want to give you a hint that the poetry in this challenge might not be as useful as you might think it to be. Now without further ado lets begin this room.
-n – Disabling DNS lookup for the provided IP address
-Pn – Treating the host as alive
-T5 – Increasing the scan speed to a maximum
-A – This is used as a combination of script scanning, OS fingerprinting and version detection.
The output of this step might feel bonkers at first due to the sheer amount of data that you’ve received just now but bear with me as we’re gonna sort it out soon.
Banner Grabbing SSH Port
This error basically means that the port is expecting a key in the form of ssh-rsa while we’ve been providing it something else. So lets solve this by specifying the key type as shown in the image below.
Hmm…..that didn’t worked. Or did it? The only takeaway from this command’s output is “Lower”. What could this possibly mean? Try this same command with the last port. Did you get a different output? Maybe “Higher”?. This concept here is that there is a specific port that you must tune into and lower and higher are your directions to discover it (remember here that lower means going down the list of ports towards a bigger port number and higher means the exact opposite of this). Now there are two methods to do it which are as follows.
Method 1: Bruteforce
You can randomly select a port and move into the direction that it advises till you get to the required port. Ya I know what you must be thinking, I truly hate doing this manually and this could take hours. Don’t worry for I hate bruteforcing as much as you do. Onwards to a better technique.
Method 2: Python Bruteforcer
Now this sounds nice. Doesn’t it?. For this you can make a script which will try all ports and provide you the final port. I tried this with python but you are welcome to use any language that you fancy, the objective is to get this done anyhow.
IP = “10.10.93.252” #CHANGE THIS
high = 9000 #CHANGE THIS
low = 14000 #CHANGE THIS
# If the program is stuck on a port for some time then that could be the required port. Press Ctrl + C to end the program.
checkport = int((high+low)/2)
print(“Checking port: “, checkport)
result = subprocess.run([“ssh”, IP, “-o”, “HostKeyAlgorithms=ssh-rsa”, “-o”, “StrictHostKeyChecking=no”, “-p”, str(checkport)], stdout=subprocess.PIPE, text=True)
if(result.stdout.strip() == “Higher”):
low = checkport
elif(result.stdout.strip() == “Lower”):
high = checkport
print(“The port that you’re looking for is: “, checkport)
Privilege Escalation (Jabberwock To Tweedledum)
1. Jabberwock is allowed to run /sbin/reboot as root. Found this with sudo -l command on terminal.
2. Tweedledum will run twasBrilling.sh file upon a reboot. Found this with cat /etc/crontab command on terminal.
So if I can plant a reverse shell in twasBrilling.sh and reboot the system then tweedledum will run it.
Method 1: Netcat
Method 2: Metasploit
RPORT: The port that you specified in the reverse shell
Run this configuration and your listener is ready to receive a connection. Following this just go back to your looking glass machine and execute the following command: sudo reboot.
The advantage of this method over netcat is that this shell can be upgraded to meterpreter which will provide you with additional functionality.
Upgrading Shell to Meterpreter
Privilege Escalation (Tweedledum to Tweedledee)
Cracking the Password
Now you’ll be sure that the last message is definitely the password and you just need to identify its hashing technique to reveal its plaintext. In order to obtain the plaintext you can paste this into cyberchef and apply the magic function upon it which will identify the hashing technique and provide you the password.
However this password won’t be used here and you’ll have to wait for sometime to use this awesome discovery of yours.
Now this shows that tweedledee is allowed to execute /bin/bash without the usage of a password. This makes it super simple as we can now directly switch to this user with the help of the following command: sudo -u tweedledee /bin/bash.
Privilege Escalation (Tweedledee to Humptydumpty)
Privilege Escalation (Humptydumpty To Alice)
Now this is a trick one and it should be as alice is the last account that you need to traverse into before you can acquire the root account.
Hint: If you aren’t able to see something, does it mean that its not there?
Hint: I’ll say no
Hint: Wait, which account am I trying to get into.
Last Hint: You can directly ssh into Alice’s account.
If my failed attempt at giving you hints has left you more confused then allow me to provide you the direct solution for this. Copy the private key of Alice which is located at /home/Alice/.ssh/id_rsa and change its permission to 600. This will allow you to ssh into the account as shown in the image below
Running a sudo -l here will treat you with an error message which will say that humptydumpty may not run sudo on looking-glass. This happens when a user is not included in the sudoers directory, so lets take a look at it.
Privilege Escalation (Alice to Root)
I know you must be tired with all this privilege escalation but you gotta keep going as this is the last one. Try to get a list of the allowed commands for this account with sudo -l. Wait what, this command doesn’t need a password right? Something’s off. The output of this command comes from the sudoers directory so lets check it out directly.
Wait, why is Alice’s file readable by others while every other file is not. Lets take a look at it. Ok now what is all this. Does it mean that alice is allowed to run /bin/bash as root. Can’t be that simple, can it? And what does ssalg-gnikool mean. Oh wait a second, its reversed. Its looking-glass same as how the user’s flag was reversed.
What this all basically means is that alice is allowed to run /bin/bash as root but when a particular host is specified with it which is ssalg-gnikool. So lets just move on with this and get the root account. The command for this is: sudo -h ssalg-gnikool /bin/bash.
Congratulations you’ve successfully pwned this machine. Give yourself a pat on the back cause you’ve rightly deserved it.