Open in app

Sign in

Write

Sign in

TryHackMe : Mindgames

#$ubh@nk@r
4 min readJun 22, 2023

--

Intro :

Hey! This is my new writeup. Here we will face a simple web-app converter that leads to RCE and simple PrivEsc with Linux capabilities. So let’s start without any late.

Nmap Scan :

As usual we start with a simple ‘Nmap’ Scan and we get 2 Ports are open : 22, 80.

NMAP Scan

So let’s visit the web-server.

This is very Simple Website with some Converter functionality. The converter only take ‘BrainFuck’ language as an Input. So I tried the ‘Hello, World ’code. And it gives me output ‘Hello, world’.

Tip : Brainfuck is an esoteric programming language created in 1993 by Urban Müller. Notable for its extreme minimalism, the language consists of only eight simple commands, a data pointer and an instruction pointer.

Link :https://en.wikipedia.org/wiki/Brainfuck

So it executing Some Code that print ‘Hello, World’. So I was thinking can I give it a python reverse_shell code converted into ‘BrainFuck’ which will execute and give me a Reverse_Shell. So let’s try.

Shell as mindgames :

Note: Don’t forget to change your IP with tun0 Interface IP.

Then I intercept the convert request in my ‘BurpSuite’ and send it to repeater. Then I place the converted reverse_shell code to the input field.

I set my ‘Netcat’ listener and send the request and easily I got a shell.

Tip : python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ [Full TTY Shell]

And I get user access and also the ‘user.txt’ file.

Privilege Escalation :

So it’s time for Privilege Escalation. I try for ‘sudo -l’ but it wants password which is unknown. I also search for vulnerable SUID Binary but nothing. So I fire up my last weapon ‘LinPeas’. :)

After some time I get something Interesting.

I search for the ‘open ssl cap_setuid privesc’ in Google and I got this post.

https://chaudhary1337.github.io/p/how-to-openssl-cap_setuid-ep-privesc-exploit/

So it is saying that → Consider the binary /usr/bin/openssl has capabilities set as: /usr/bin/openssl = cap_setuid+ep Is there a way to become root from a normal user by using this?

And it gave us the following steps.

Note : sudo apt-get install libssl-dev , gcc [Required to get Root]

So in my own machine I made this ‘ssl_exp.c’ file.

Then I compile it in ‘ssl_exp.o’ file.

Tip : gcc -fPIC -o <name>.o -c <name>.c

Then I make the exploit with following command and send it into Victim’s Machine.

Tip : gcc -shared -o <name>.so -lcrypto <name>.o

It’s like this. I make it executable.

Then I run it.

Tip : /usr/bin/openssl req -engine ./<name>.so

And easily we get Root and the Root Flag. Hope, You learn something new.

THANKS FOR READING!

Happy Hacking~

--

--

#$ubh@nk@r
#$ubh@nk@r

Written by #$ubh@nk@r

829 Followers
53 Following

CyberSecurity Learner, CTF Player, Noob Bug Hunter https://starlox0.github.io/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams