Madeye’s Castle TryHackMe Walkthrough

As always we’ll start off with a port scan using nmap to find the ports that are open

Looking at nmap results you can see that we have three ports open SSH, SMB and HTTP. SSH requires credentials and it has very few vulnerabilities so it will be the last to enumerate. I started by enumerating SMB since we might get some sensitive files that may probably have credentials.

Of late i always use crackmapexec to enumerate SMB. First i tried listing SHARES using the command

crackmapexec smb 10.10.143.196 -u anonymous -p anonymous --shares

Looking at the output of crackmapexec you can see that we have read access to sambashare. I logged in to SMB using smbclient to see if the share had any sensitive files. Smbclient is a package contains command-line utility for accessing Microsoft Windows and Samba servers.

i used the command

smbclient -N //10.10.143.196/sambasharen specifies that smbclient should use null authentication when logging into samba

Looking at the above screenshot we have a successful login. Doing a directory listing we see two files.

spellnames.txt and .notes.txt

I downloaded both of the files to my box. And decided to take a look at them

The Notes text file gives us two potential usernames Hagrid and Hermonine

The Spellname text file gives us a wordlist which potentially might be a password file.

So i saved both usernames to a text file and tried a SSH brute force hydra and the spellnames wordlist

But looking at the screenshot below it didn’t work

I kept both files back on my mind and decided to enumerate HTTP since HTTP always has a bigger attack surface. On opening the website using Mozilla we get the default Apache webpage

I decided to take a look at the source code of the webpage and to my surprise we get a hostname on a comment the developer left behind

I added the hostname to my hosts file

And then tried to navigating to the hostname using Mozilla and looking at the screenshot below we get a different webpage. It’s a concept commonly known as virtual host routing

Sweet. I intercepted the login request using burpsuite and saved it to a file

Then after saving it to a file i ran SQLMap using the login request. While SQLMap was running in the background i decided to try common credentials like admin,root,password but it didn’t work

Next i tried a simple SQL injection query (single quote) and to my surprise it worked since i got a different output

When i add a comment the error disappears

Sweet now i was sure it was SQL injectable. Going back to the results of SQLMap we see that it identifies that indeed the web application has a SQL injection vulnerability but it wasn’t able to extract any working payload

I tried many different methods to see if i could get the SQL injection working but they all failed. So i spent an extra two hours learning how SQLite injection worked and tried to to extract the database myself.

The first step is identifying the number of columns the database has and i used union technique to do this

I continued adding the number columns and on reaching 4 the error disappeared

This means that the database has four columns. Also looking at the output you can see that we can control the information on 1 and 4 since the query returned the result

Meaning if we put our own string it will get displayed back. In the screenshot below i added a string saying hello and it was displayed in the response

Next i wanted to enumerate the exact database management system that the web application was running. And the query

sqlite_version()

gave me the version number of SQLite database the web application was running on

Meaning the DBMS used was SQLite sweet and it is running version 3.22.0

Sweet Now i decided to enumerate the databases present on SQLite using the query

' union select group_concat(tbl_name),2,3,4  FROM sqlite_master  WHERE type='table' and tbl_name NOT like 'sqlite_%'-- -

And from the above screenshot we see that the SQLite has one database called users.

Next we have to extract column names but i tried a lot of queries which didn’t work. But developers are predictable when naming columns i decided common columns names and one worked passwords

I used the query

' union select group_concat(password),2,3,4 FROM users-- -

Looking at the screenshot below i was able to dump the entire table

Sweet. Now i decided to brute force the rest of the table names using a wordlist called common.txt which can be found in seclists and found three tables namely notes,password and names as you can see below

I saved the hashes in a text file and tried identifying the type of hash it could be using hash-identifier which is a software to identify the different types of hashes used to encrypt data and especially passwords

Looking at the result on the screenshot above it’s probably a SHA-512 hash

I tried cracking then using the rockyou wordlist but it didn’t work

But we also found some notes on the database

One of the notes talked about a password using best64. Going back to our initial recon we remember that we had a bunch of spellnames. I tried to see of it had any base64 strings in it but it turned out to be a dead end. Then i remembered that hashcat has a rules file called best64

I tried mutating the spellname text file using the best64 rule set and created an entirely new wordlist . I used the command

hashcat --stdout -r /usr/share/hashcat/rules/best64.rule spellnames.txt > possible_passwords.txt

Again i tried using the mutated wordlist to crack the SHA-512 hashes using hascat

After it has finished running and to my surprise one hash had been successfully cracked

using — show command in hashcat we get to see the password of the hash

So right now we have a password but no username. Returning back to the SQLite query we had a bunch of usernames

When i tried the name Harry Turner with a random password on the login page i got a different error

And we get some info telling us that probably harry is the username for the Linux user

Sweet i tried logging into the box through SSH using that username and the password we had cracked

And it actually worked

We have a shell on the box. Sweet. Looking at Harry’s home folder we have the first flag

Running sudo -l we see that the Harry user can run /usr/bin/pico as the user Hermonine

Running the binary using the command

sudo -u hermonine /usr/bin/pico

We see that its just nano with the name changed

Knowing we can get a shell from just running nano i used GTFOBINS to exploit the misconfiguration and get a shell as the hermonine user

Looking at hermonine’s home directory we have the second user flag and we could read it

Sweet our next job is to escalate our privileges to become root on the box. Since nothing stood out initially i ran linpeas and checked the output. One of the SUID binary called swagger stood out

I tried executing the binary and i was asked to guess a number but every time i guessed a number i got it wrong

I downloaded the SUID binary to my box and opened it up using ghidra which is a NSA reverse engineering tool

Looking at the decompiled output we see that the binary uses rand() function which generates random numbers as we have seen above.

Doing some google researching i found that the rand function is vulnerable of some sort of time attack where if the time different is negligible the random number doesn’t change. So if we could find a way to run the command and cause the binary to leak the correct random number and we input the same leaked number to the binary before a significant amount of time passes we could potentially bypass the check. To prove this i executed the script 5 times in a for loop

using the command

for  number in $(seq 1 5);do echo 0 | /srv/time-turner/swagger; done

Looking at the screenshot above the binary used the same digit 5 times five times it ran the binary meaning the the rand() function is not as random as it thinks

So the binary creates a random number then compares our input to the random number created and if they are similar meaning the condition is True the script executes another function called impressive.

The impressive function performs a system call to uname but as you can in the screenshot above it doesn’t use full PATH and since the binary is a SUID binary we could manipulate the PATH since it doesn’t uses secure PATH

First i created a binary called uname /tmp directory that would just read the root flag

Next changed the permission of the file to an executable and then spoofed the PATH

This means that when the binary execute uname instead of it executing the real binary(uname) it executes the one we created in /tmp since we spoofed the PATH and SUID doesn’t use secure PATH like sudo does

Next i used a one liner bash command which sends a wrong number the first time, gets the leaked random number then send it before the number expires

Here’s the command

/srv/time-turner/swagger | grep -oE '[^ ]+$' |tail -1 | /srv/time-turner/swagger

Let’s execute the command and see if it works

Once the command rans you get a blank output just input a random character,number or letter and press enter. We successfully exploited the vulnerability

And we get the root flag haha

Sweet we now know our exploit works lets drop a SSH public key to the box and login as root

First i generated a SSH key pair

Created a bash script which would add the public SSH keys to the root’s folder

Then executed the binary again and we got one error that the .ssh directory exists but let’s try logging in using the SSH private key we had created

And looking at the screenshot below we are root and we have the root flag

We can now submit the three flags on TryHackMe and get the points

And the box is done!!!!. I hope you liked the walkthrough if so clap for me down below and follow me so that you won’t miss any upcoming article. But for now it Goodbye!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store