https://tryhackme.com/room/inoculation

Inoculation definitely is a challenge that puts a players skills to the test, and offers a wide range and variety of tools used, something definitely used in a real-world environment. Looking for a challenge? Try Inoculation!


Here's a small list on the things you'll need to be aware of/know how to use:

  • Nmap
  • Burp Suite
  • Basic Linux Commands
  • Wireshark
  • Privilege Escalation

Now let's get started by deploying the machine!


1) Nmap

Right off the bat, the first thing that should come in mind is Nmap

Great! So we see 2 open ports! Now, let's visit the actual website.


2) Burp Suite

Hmmm...so first, fire up Burp Suite and intercept the request of a random URL entered in the input field. Seems like nothing of our interest. After a couple minutes of thinking, it becomes quite clear that we could maybe find something juicy by putting in the URL of this site itself along with a random port number and plopping it in the Intruder!

Now, after a quick Google search, the max port number is 65535. Cool! So now all we have to do is go to Payloads and and set the payload type to number and the number range from 1 t0 65535. Time to attack!

Great! There definitely are other ways of doing this, considering Community Edition is time-throttled, but for the sake of this article and overall concept this seems fine. We then find out that there are 2 open ports, port 80 and port 9999. Although port 80 didn't seem to work, we received a response on port 9999 by following this command!


3) Basic Linux Commands

You might be wondering, what's up with the "2130706433"? That basically is the string version of 127.0.0.1. An accurate converter from int to string can be found when running this code:

int pack(byte[] bytes) {
  int val = 0;
  for (int i = 0; i < bytes.length; i++) {
    val <<= 8;
    val |= bytes[i] & 0xff;
  }
  return val;
}

pack(InetAddress.getByName(dottedString).getAddress());
https://stackoverflow.com/questions/2241229/going-from-127-0-0-1-to-2130706433-and-back-again

But look! Look back at the results from curl! We get a .pcap file. So, as any normal person, the first thing that comes to mind is Wireshark! Before we can plop in the .pcap file, we first need to get access to it! This can be done by doing the same exact command as last time, except by telling the computer to output and give us the .pcap file through the following command:

--output dump.pcap

So, in the end it should look something like this:


4) Wireshark

This is going great! Now all we have to do is open the file with Wireshark and analyze the packets.

Wow, we were able to get password so quickly! As you can tell, the dir was named "pass4maynard.txt", therefore meaning "maynard" must be the username! Well that was simple, all we needed to do was to SSH and get the user flag!!!


5) Privilege Escalation

Now, it's quite obvious after running sudo -l in order to check rights, that we need to preform privilege escalation.

ExploitDB returns the following:

https://www.exploit-db.com/exploits/41240

The code did require some small changes in terms of editing etc., but this was the final result:

obj-m += cve_2017_0358.o

all:
    make -C /lib/modules/4.15.0-58-generic/build M=$(PWD) modules

clean:
    make -C /lib/modules/4.15.0-58-generic/build M=$(PWD) clean

Simple. Now we have to run sudo insmod. Basically, insmod is used to insert modules into the kernel. Just do cd /tmp and we should notice an interesting r00t file after running ls. Running the ./r00t -p creates a nested directory and wohoo! Type in whoami, and you're root!


A great learning experience!

Just try your best to put the basics in practice and use all the tools available to you. The room was awesome and really helped me along with others to realize the importance of these 5 essential tools and skills. Until next time!