Anonymous Playground Walk-Through
Want to become part of Anonymous? They have a challenge for you. Can you get the flags and become an operative?
Anonymous Playground by TryHackMe is Hard Box with more tricks than tech. Before you start working on it , better add the Machine IP to your /etc/hosts file. NMAP scan didn’t reveal any interesting fact besides a rather interesting forbidden entry in the robot.txt file.
We head over to Port 80 and are greeted by the following pages :
These two pages reveal no interesting information as such (yeah , the contact page doesn’t seem to work and that list of operatives is no good as a wordlist for bruteforcing). Thus we’ll just head over to the forbidden entry mentioned under robots.txt and try our luck there.
Well we seemed to have hit a dead-end right here. Let’s examine the request in Burpsuite and see if we can somehow bypass this.
The Cookie sure looks interesting here. Changing the value from denied to granted does the trick and we are able to view the forbidden page.
The webpage hence loaded contains some cypher text. Is this what the hint tells us to write the python script for ? Well the hint reads ‘zA’=‘a’ , which is quite a popular cypher which involves shifting the former alphabet with a value equal to the position of the latter in the alphabet. We fire up our IDE and write a quick python script to do the work for us. ( Get the script here )
Wow ! That’s looks like one of the user’s SSH login credentials. We use these to SSH into the target machine.
First things first , let’s fetch our first flag :
With our first flag in hand , we proceed to inspect the other files in the directory.
You can read the note_from_spooky.txt but the essence of it all lies in the binary : hacktheworld. Note that it’s owned by root and the presence of the SUID Binary. We bring the binary over to our local machine to examine it in detail.
Well, nothing seems to happen. This begs some Reverse Engineering. My favourite RE tool is Ghidra , so I load this binary into it.
Well to start with , we have a main function which basically takes in a certain length of string in it’s memory and practically does nothing with it. However, there’s an interesting call_bash function which can be leveraged for Privilege Escalation. Enter BINARY EXPLOITATION.
The first step would be to identify the buffer capacity before we get our Segmentation Fault. A bit of fuzzing around and it seems that when we feed in 72 A’s into the hacktheworld binary , it crashes. Next up we load our program in GDB for further analysis.
Here again take notice of the main and call_bash functions. First we disassemble the main function to get an insight into the stuff happening there.
Here we shall introduce two break points , one at gets@plt (plt stands for Procedure Linkage Table) and another one just after it.
Next thing , we run the program and after we pass the first break point , we have a look at our registers.
Well the rsi register is what holds the key here. We know that the program functions perfectly till input is limited to 71 A’s but crashes at 72. Let’s have a look at the state of rsi register under each case.
We can now clearly see what’s going on here. Now our next target is to invoke the call_bash function. To do so , we would pass in the address 0x0000000000400658 (note that it is one more than the address of call_bash function so that when it pops 0x0000000000400656 , it doesn’t leave the function and we could get our shell). We put in the address in Little Endian format.
So finally , we are able to invoke the call_bash function. With this exploit back in hand , we SSH back into our machine and run the following exploit :
(python -c “print(‘A’*72 + ‘\x58\x06\x40\x00\x00\x00\x00\x00’)”; cat ) | ./hacktheworld
Note the extra zeroes introduced in here. They are introduced because we are in a 64 bit environment. Congrats ! With this you have escalated your privileges to the user spooky !
Now we move over to the home directory of the user spooky and have a look at the files there.
Before proceeding further , quickly snag the flag.txt here to get our second flag !
Now notice that there’s a hidden file by the name of .webscript which contains some very interesting piece of code.
So basically what this code does is to create an executable which gives us a shell with the same UID as the program calling calling it. One big hint here is under the clean up section. It looks like something which we would normally do in case of possible privilege escalation through wildcards.
A look at the crontab confirms our suspicion. There’s a cronjob running as root with prospects of privilege escalation via wildcards.( If you have no idea what’s going on , I strongly recommend doing THIS first. )
Now to go root , we run the following commands :
chmod +x .webscript
touch /home/spooky/ — — checkpoint=1
touch /home/spooky/ — — checkpoint-action=exec=sh\ .webscript
Wait for sometime ( go have some coffee or listen to a song ?) and then have a look at the contents of your home directory. You’ll notice that the directory .cache is no longer empty and is now owned by root.
Run the executable found inside the directory and Viola ! We Are Root !
With this , finally head over to /root and fetch the final flag !
With this we completed another Hard Box. Tap yourself on the shoulder. Don’t forget to follow me to get more walk-throughs and tutorials. In-case of any questions , hit me up on Instagram or LinkedIn. Till then , See Ya !
