TryHackMe : Cat Pictures 2 (Ansible & Baron Samedit Exploit in Sudo)

6 min readJul 2, 2023

Intro : It is new Room in TryHackMe Platform. It is but a bit Difficult. Here you will find Ansible Playbook Player to get User Access and PrivEsc with Baron Samedit Explot in Sudo (CVE-2021–3156). It is a Heap Based Buffer Overflow in Sudo.

Nmap Scan :

As usual we start with a Nmap Scan. And we found 2 Ports are open : 22(ssh) and 8080(http). But I don’t found any open Port 80.

Tip : nmap -sVC -T4 <ip> -vv

Some time later I found Port 80 is open and I visited the Web-page. It is looks like this. Some cat Images.

Web Enumeration :

I open all image one by one but when I click on the below image I found the image size is too big(7.1 MB) than other images and it has a Description. I found this image Suspicious and download that image.

After downloading I run ‘exiftool’ on that Image.

Here I found the Interesting Meta-Data.

In the ‘Title’ I found a Port followed by a Text File.

Tip : Title : :8080/<something>.txt

So I visit that page and I found a Note there.

Here I found a Username and Password of ‘Gitea’ website on Port 3000. And there is also a ‘Ansible’ runner on Port 1337. So now we have to face with ‘Ansible’. It is uses for Automation. Details is Here.

Exploit with Ansible :

I visit Port 3000 and I get this.

I go to ‘Sign In’ tab to sign in using those known Username and Password.

I also logged into the Repository.

Here I visit the first repo ‘samarium/ansible’ here I found the First Flag. Flag1 :)

I also find ‘README.md’ and a ‘playbook.yaml’ file which is usually an Ansible Playbook. So I open that file.

So this file can run Command. So in the command field I put ‘id’ command in that file.

Tip : You can edit the File pressing on the Pen Button on that Page. For save that file set cursor on playbook.yaml and press enter. It will save.

Then I visit the Playbook runner page on Port 1337 where I can run this playbook.yaml file.

I click Run Ansible Playbook and after sometime it gives me Success Message. You can see the Result in ‘Logs’ Tab.

I shows me the user ID at the bottom. The user is ‘bismuth’.

So now I change the playbook.yaml command content to ‘ls -la’ command.

Then again running that playbook runner I get the following output in Logs.

I found the flag2.txt. You can use ‘cat’ command in that ‘yaml’ file and run that to get the Flag Content. But I want a Shell in that Machine. I also found there is a ‘.ssh’ folder where we can find user’s Privet ‘id_rsa’ file which help us to logged in using ssh. So I use this command in that ‘playbook.yaml’ file.

Tip : cat .ssh/id_rsa

After running the Playbook Runner I got the Privet id_rsa.

T remove all the double quote and comma from the id_rsa using ‘chatgpt’. And saved it in a File. I gave the File Permission 600.

Tip : chmod 600 <file_name>

Then I use ssh to logged in as user Bismuth.

Tip : ssh -i id_rsa bismuth@<ip>

Here I cat out that File → flag2.txt.

Privilege Escalation :

Now it’s time for some PrivEsc. I run ‘linpeas.sh’ but I found nothing. Then I check for sudo version un that Machine.

Tip : sudo — version

It is 1.8.21. Searching in Google I found this Post. It is telling us this was a Heap Buffer Overflow allowing any user to escalate privileges to root. It also says that the vulnerability has been patched, but affects any unpatched version of the sudo program from 1.8.2–1.8.31p2 and 1.9.0–1.9.5p1. And our Version is 1.8.21 so it is Vulnerable.

We can check that using sudoedit command for confirmation. Here it is :