Welcome to KoTH-Tools, a collection of custom tools used in TryHackMe's King of the Hill competition.
These tools are designed for use on Linux machines.
This directory contains exploits for CVEs found in the machines.
- CVE-2019-18634-sudo-buffer-overflow
- CVE-2021-3156-dirtypipe
- CVE-2021-3493-overlayfs
- CVE-2021-4034-pwnkit
This directory contains static binaries that can be used in the machines. These binaries are compiled statically to avoid problems with missing dependencies. Some of them are used in other tools.
- changeattr - Change the attributes of a file.
- echo - Print a string. *
- inotifywait - Wait for changes to files using inotify.
- lsattr - List file attributes. *
- pspy64 - Monitor processes without root permissions.
- real_chattr - Change the attributes of a file.
* Compiled with Makefile. Source code is available in the static directory.
Includes a script to monitor file changes in the /root/king.txt file.
When changes are detected, the script will attempt to overwrite the file with the player's username.
Currently in development.
- hello.sh - Display a "Hello" message.
- nyan - Display nyan cat animation.
- rickroll.sh - Display rickroll lyrics animation.
- spin.sh - Display animation of a spinning saturn.
This directory contains animations that can be displayed in other player's terminals. Like so:
# Get your tty number
tty
# Enumerate the tty numbers of other players
ls -l /dev/pts/
# Display the animation in the other player's terminal
./animations/nyan > /dev/pts/<tty_number>Getting your terminal flooded with animations is a significant setback toward winning the game.
Here's a simple way you can prevent that from happening when using ssh:
ssh -T <username>@<ip>
tty
# No tty number will be displayedFrom ssh manual:
-T Disable pseudo-terminal allocation.
- autodownloader.sh - Automatically download scripts from attacker machine.
- chattr - Malicious version of chattr. *
- check.sh - Check
king.txtfile and overwrite it if necessary. - flag-finder.sh - Automatically find flags in the machine.
- kingster.sh - Write and protect
king.txtfile. - systemd.sh - Create a backdoor service for persistence.
- stable-shell.sh - Stable reverse shell.
- LinEnum.sh - Linux enumeration script. (source)
- linpeas.sh - Linux Privilege Escalation Awesome Script. (source)
- PwnKit - Privilege escalation toolkit CVE-2021-4034. (source)
- mount-trick.txt - Mount trick to bypass chattr protection.
- tricks.html - King of the Hill tricks. (generated from tricks.md)
- trollrc - Troll .bashrc file.
- port-scanner-nc.sh - Port enumeration using netcat. Run with multiple threads for better performance.
- url-path-finder.sh - Find paths in a website by scanning source code.
* According to KoTH rules "chattr" is the only binary that can be replaced in the machine.
Used to get a reverse shell in the machine.
- thm - Connect to TryHackMe VPN.
You will need to install openvpn to use this script.
Next you will need to edit the thm to replace your username, vpn file path and other variables.
# Define variable for THM username
username="z0d1ac"
# Define directory were $username.ovpn is located
vpn_dir="$HOME/.vpn"
# Session logfile
session_log=$vpn_dir/session.log
# Optional: Location of profile to update (.zshrc, .bashrc, .bash_profile, etc)
profile_file="$HOME/.bash/custom.sh"Usage:
# Connect to THM VPN
thm
# In alternative add the machine ip wich will be saved in your .profile as VMIP environment variable
thm <machine_ip>
# Disconnect from THM VPN
thm kill
# Show OpenVPN connection log
thm logSpecial thanks to the following contributors for their valuable contributions:
- @MatheuZSecurity
- for his
tricks.mdfile. - for inspiring me with his
systemd.shscript.
- for his
- @f11snipe
- for his
trollrcfile. - for his
thmscript for vpn connection and utilities.
- for his