Madeye’s Castle TryHackMe Walkthrough
Hello guys back again with another walkthrough this time we’ll be tacking Madeye’s Castle room from TryHackMe. The room was released about 12 hours ago and according to my opinion this room was a bit hard as compared to the rooms we have done the last 2 weeks though it was rated medium. You start off by discovering a virtual host in an Apache default page source code and it leads you to a different website which is vulnerable to SQLite injection. But SQLMap fails to extract the database i don’t know the reason why but i ended up learning how to manually extract the entire database. And we get a bunch of SHA-512 hashes, usernames and notes. During the initial foothold we had found some potential passwords. We modify the wordlist using hashcat rules and the crack one of the hashes which gives us access to the box. User 1 done!!!. For user 2 we exploit a misconfigured nano and get shell as the second user. For root we exploit a c rand() function and chain it with PATH manipulation vulnerability to get root on the box. It was a fun box nonetheless and thanks to the creator of the box Madeye. Without much say lets jump in.
As always we’ll start off with a port scan using nmap to find the ports that are open
Looking at nmap results you can see that we have three ports open SSH, SMB and HTTP. SSH requires credentials and it has very few vulnerabilities so it will be the last to enumerate. I started by enumerating SMB since we might get some sensitive files that may probably have credentials.
Of late i always use crackmapexec to enumerate SMB. First i tried listing SHARES using the command
crackmapexec smb 10.10.143.196 -u anonymous -p anonymous --shares
Looking at the output of crackmapexec you can see that we have read access to sambashare. I logged in to SMB using smbclient to see if the share had any sensitive files. Smbclient is a package contains command-line utility for accessing Microsoft Windows and Samba servers.
i used the command
smbclient -N //10.10.143.196/sambasharen specifies that smbclient should use null authentication when logging into samba
Looking at the above screenshot we have a successful login. Doing a directory listing we see two files.
spellnames.txt and .notes.txtI downloaded both of the files to my box. And decided to take a look at them
The Notes text file gives us two potential usernames Hagrid and Hermonine
The Spellname text file gives us a wordlist which potentially might be a password file.
So i saved both usernames to a text file and tried a SSH brute force hydra and the spellnames wordlist
But looking at the screenshot below it didn’t work
I kept both files back on my mind and decided to enumerate HTTP since HTTP always has a bigger attack surface. On opening the website using Mozilla we get the default Apache webpage
I decided to take a look at the source code of the webpage and to my surprise we get a hostname on a comment the developer left behind
I added the hostname to my hosts file
And then tried to navigating to the hostname using Mozilla and looking at the screenshot below we get a different webpage. It’s a concept commonly known as virtual host routing
Sweet. I intercepted the login request using burpsuite and saved it to a file
Then after saving it to a file i ran SQLMap using the login request. While SQLMap was running in the background i decided to try common credentials like admin,root,password but it didn’t work
Next i tried a simple SQL injection query (single quote) and to my surprise it worked since i got a different output
When i add a comment the error disappears
Sweet now i was sure it was SQL injectable. Going back to the results of SQLMap we see that it identifies that indeed the web application has a SQL injection vulnerability but it wasn’t able to extract any working payload
I tried many different methods to see if i could get the SQL injection working but they all failed. So i spent an extra two hours learning how SQLite injection worked and tried to to extract the database myself.
The first step is identifying the number of columns the database has and i used union technique to do this
I continued adding the number columns and on reaching 4 the error disappeared
This means that the database has four columns. Also looking at the output you can see that we can control the information on 1 and 4 since the query returned the result
Meaning if we put our own string it will get displayed back. In the screenshot below i added a string saying hello and it was displayed in the response
Next i wanted to enumerate the exact database management system that the web application was running. And the query
sqlite_version()gave me the version number of SQLite database the web application was running on
Meaning the DBMS used was SQLite sweet and it is running version 3.22.0
Sweet Now i decided to enumerate the databases present on SQLite using the query
' union select group_concat(tbl_name),2,3,4 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'-- -
And from the above screenshot we see that the SQLite has one database called users.
Next we have to extract column names but i tried a lot of queries which didn’t work. But developers are predictable when naming columns i decided common columns names and one worked passwords
I used the query
' union select group_concat(password),2,3,4 FROM users-- -Looking at the screenshot below i was able to dump the entire table
Sweet. Now i decided to brute force the rest of the table names using a wordlist called common.txt which can be found in seclists and found three tables namely notes,password and names as you can see below
I saved the hashes in a text file and tried identifying the type of hash it could be using hash-identifier which is a software to identify the different types of hashes used to encrypt data and especially passwords
Looking at the result on the screenshot above it’s probably a SHA-512 hash
I tried cracking then using the rockyou wordlist but it didn’t work
But we also found some notes on the database
One of the notes talked about a password using best64. Going back to our initial recon we remember that we had a bunch of spellnames. I tried to see of it had any base64 strings in it but it turned out to be a dead end. Then i remembered that hashcat has a rules file called best64
I tried mutating the spellname text file using the best64 rule set and created an entirely new wordlist . I used the command
hashcat --stdout -r /usr/share/hashcat/rules/best64.rule spellnames.txt > possible_passwords.txt
Again i tried using the mutated wordlist to crack the SHA-512 hashes using hascat
After it has finished running and to my surprise one hash had been successfully cracked
using — show command in hashcat we get to see the password of the hash
So right now we have a password but no username. Returning back to the SQLite query we had a bunch of usernames
When i tried the name Harry Turner with a random password on the login page i got a different error
And we get some info telling us that probably harry is the username for the Linux user
Sweet i tried logging into the box through SSH using that username and the password we had cracked
And it actually worked
We have a shell on the box. Sweet. Looking at Harry’s home folder we have the first flag
Running sudo -l we see that the Harry user can run /usr/bin/pico as the user Hermonine
Running the binary using the command
sudo -u hermonine /usr/bin/picoWe see that its just nano with the name changed
Knowing we can get a shell from just running nano i used GTFOBINS to exploit the misconfiguration and get a shell as the hermonine user
Looking at hermonine’s home directory we have the second user flag and we could read it
Sweet our next job is to escalate our privileges to become root on the box. Since nothing stood out initially i ran linpeas and checked the output. One of the SUID binary called swagger stood out
I tried executing the binary and i was asked to guess a number but every time i guessed a number i got it wrong
I downloaded the SUID binary to my box and opened it up using ghidra which is a NSA reverse engineering tool
Looking at the decompiled output we see that the binary uses rand() function which generates random numbers as we have seen above.
Doing some google researching i found that the rand function is vulnerable of some sort of time attack where if the time different is negligible the random number doesn’t change. So if we could find a way to run the command and cause the binary to leak the correct random number and we input the same leaked number to the binary before a significant amount of time passes we could potentially bypass the check. To prove this i executed the script 5 times in a for loop
using the command
for number in $(seq 1 5);do echo 0 | /srv/time-turner/swagger; done
Looking at the screenshot above the binary used the same digit 5 times five times it ran the binary meaning the the rand() function is not as random as it thinks
So the binary creates a random number then compares our input to the random number created and if they are similar meaning the condition is True the script executes another function called impressive.
The impressive function performs a system call to uname but as you can in the screenshot above it doesn’t use full PATH and since the binary is a SUID binary we could manipulate the PATH since it doesn’t uses secure PATH
First i created a binary called uname /tmp directory that would just read the root flag
Next changed the permission of the file to an executable and then spoofed the PATH
This means that when the binary execute uname instead of it executing the real binary(uname) it executes the one we created in /tmp since we spoofed the PATH and SUID doesn’t use secure PATH like sudo does
Next i used a one liner bash command which sends a wrong number the first time, gets the leaked random number then send it before the number expires
Here’s the command
/srv/time-turner/swagger | grep -oE '[^ ]+$' |tail -1 | /srv/time-turner/swaggerLet’s execute the command and see if it works
Once the command rans you get a blank output just input a random character,number or letter and press enter. We successfully exploited the vulnerability
And we get the root flag haha
Sweet we now know our exploit works lets drop a SSH public key to the box and login as root
First i generated a SSH key pair
Created a bash script which would add the public SSH keys to the root’s folder
Then executed the binary again and we got one error that the .ssh directory exists but let’s try logging in using the SSH private key we had created
And looking at the screenshot below we are root and we have the root flag
We can now submit the three flags on TryHackMe and get the points
And the box is done!!!!. I hope you liked the walkthrough if so clap for me down below and follow me so that you won’t miss any upcoming article. But for now it Goodbye!!