TryHackMe: Mnemonic - Writeup

Hello! This is a writeup for the room Mnemonic from TryHackMe. The room is medium-difficulty rated. Let’s begin.

Photo by Shahadat Rahman on Unsplash

Port scanning & services versions

NMAP Scan

Command: nmap -sC -sV -T4 -oN nmap-all -vv -r -p-
-sC: Scan with scripts, usually results in more information.
-sV: Try to identify service version.
-oN: Save the result to a regular file.
-T4: Speed things up.
-vv: Very verbose, basically tells me everything going on while it is scanning
-r: Scan ports recursively.
-p-: Scan all 65535 ports.

As we can see from the nmap scan above, ports 21, 80 and 1337 are open.

Target: Webserver (port 80)

Usually, if there is something under robots.txt, it means that the admin does not want anybody to see that the entry exists.
http://$IP/robots.txt 1 disallowed entry:
/webmasters/*

Running gobuster, able to find two paths to follow.

Command: gobuster dir -u http://$IP/webmasters -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -o gb-initial -x php,html

/webmasters/admin
/webmasters/backups

  • /admin

/admin.html [ Admin login page ]
/login.html [ Empty page ]

We discovered a log in page but we have no credentials. Let’s try to find that.

  • /backups

As it’s a backup folder, let’s search for common backup extensions like: tar,zip,bak,rar,7z. Command:

gobuster dir -u http://$IP/webmasters/backups -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -o gb-initial -x tar,zip,bak,rar,7z

Backup File Disclosure
http://$IP/webmasters/backups/backups.zip

Target: Backup file

The zip file contains only one file, note.txt, but it’s encrypted and we don’t have any password yet. We have no choice but bruteforcing. JohnTheRipper fits well in this kind of operation, but as this is a zip file, a conversion needs to occur. Commands below.

Converting: zip2john backups.zip > john
Bruteforcing: john john --wordlist=/usr/share/wordlists/rockyou.txt

The note gives us two usernames to work with, ftpuser and james. Port 21 is open, running vsftpd 3.0.3, but we don’t have a password. So, let’s break our way in! (again)
Command below.

hydra -l ftpuser -P /usr/share/wordlists/rockyou.txt $IP ftp -f

After a while, a valid password is found.

Target: FTP Server (port 21)

data-4 folder contents:
id_rsa, not.txt

Nothing interesting inside not.txt, but id_rsa can be used to log in into the machine without password as james, via ssh. Sadly, id_rsa is encrypted and once again we’re going to need JohnTheRipper’s help. Commands below.

/usr/share/john/ssh2john.py id_rsa > john_rsa
john john_rsa --wordlist=/usr/share/wordlists/rockyou.txt

After a while, a valid password is found.

Initial shell

Able to log in via ssh as James, command: ssh james@$IP -p 1337
The password found for id_rsa is the same password for James.

Privilege escalation

A note in james’ home directory talks about an encryption method called Mnemonic. Basically, it analyses all the pixels of an image and extracts data from it.

Download this tool from github to be able to work with Mnemonic:
Command: git clone https://github.com/MustafaTanguner/Mnemonic.git

Horizontal privesc

For some reason, condor’s home directory is world-readable, meaning that we can see all the files inside it.
There are two base64-encoded directories, one is the user.txt flag and another is a link for the image to work with (Mnemonic). You can use an online decoder or the command: echo base64 string | base64 -d

Working with Mnemonic

The tool previously downloaded is very straightforward, you need to type the path to the image and to the text file (which is the file 6450.txt at James’ home directory, just copy it to your machine)
Doing so, we discovered condor’s password.

Vertical privesc

Able to switch to user condor using his previously found password: su condor

The first command I ever type when I know the user’s password is: sudo -l, to see if the user can run something as other user on the system.
User condor may run the following commands on mnemonic:
(ALL : ALL) /usr/bin/python3 /bin/examplecode.py

  • There is a hidden backdoor feature in /bin/examplecode.py, code snippet:

if select == 0:
time.sleep(1)
ex = str(input(“are you sure you want to quit ? yes : “))

if ex == “.”:
print(os.system(input(“\nRunning….”))) #EXECUTING ANY COMMAND AS ROOT
if ex == “yes “ or “y”:
sys.exit()

If you type “.” when the program asks if you’re sure you want to quit, then you can execute any command as root.

I changed /bin/bash permissions so I could run it as the user who owns it, in this case, root. The famous SUID.
The root flag is not hashed and it needs to be. Command:

echo -n string | md5sum

Submission: THM{md5hash}

Conclusion

Very cool machine, I had a good time doing it, and I hope you enjoyed my brief explanation of all the process. Thank you for your attention.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store