Aratus — TryHackMe WriteUp
Aratus is a Tryhackme room rated medium difficulty. This is a walkthrough of the challenge.
Introduction
“Perform a penetration test against a vulnerable machine. Your end-goal is to become the root user and retrieve the two flags:
- /home/{{user}}/user.txt
- /root/root.txt
The flags are always in the same format, where XYZ is a MD5 hash: THM{XYZ}”
Initial Scans
I started with the basic nmap scan and got the following results.
Enumeration
I started with anonymous login on FTP but FTP didn’t gave me anything.
After FTP I was looking into the shares and found the share named “temporary share”.
I logged in to the share as anonymous login was enabled and list the contents of the share.
I transferred the “message-to-simeon.txt” file and read the contents of that file.
It gives us the hint that the password is in the smb share so i downloaded all the files and directories to my pc.
I searched using grep for terms like passwords, login, simeon etc. but didn’t found anything. After a while I thought maybe I can bruteforce ssh using the words in those text files.
After that I used hydra to bruteforce ssh and got the password.
I logged in to ssh as Simeon and now we have to be Theodore to get the flag. I ran linpeas for automated enumeration and got these PE vectors
So I started sniffing on the network using tcpdump got an interesting HTTP request.
We can see the authentication header is passing base64 string so I tried decoding it and got the password of Theodore. I logged in with Theodore and check for privilege escalation.
We can see that “theodore” can run a script as “automation” without any password. Meanwhile, don’t forget to get the flag from theodore’s home directory.
We can see the script
This is running ansible playbooks on all the yaml files. Now we need to find a file that is writable. After looking through all the ansible directories I found a file named “configure-RedHat.yml” which was writable. It was located in “/opt/ansible/roles/geerlingguy.apache/tasks”. I made the following changes to the yaml.
Here I made the bash binary as a SUID which will allow me to run bash as root. I prefer this trick instead of revshells and other privesc methods. I learned it from the one and only John Hammond in one of his videos.
Now we can see the /bin/bash permission
We can see that /bin/bash is now SUID. Now we can run it to be root
Now get the root flag from the root’s home directory.
This was all about Aratus Room from TryHackMe. I really liked the part where we use tcpdump to snip packets and used ansible playbooks to priviledge escalation. I struggled the most in the initial shell as I never thought I would used the text files as the password list.
Hope you have learned something new from this.
Happy Hacking !!!
