A boot2root box that is modified from a box used in CuCTF by the team at Runcode.ninja
This is Madeye’s Castle from THM. It’s medium rated and came out earlier today.
Ports
SSH, HTTP on Port 80 and SMB (139/445) are our open ports.
SMB
We have anonymous login with one hidden file and one not hidden file:
The spellnames.txt looks for all the world like a list of passwords, while the notes adds some flavour:
Hagrid told me that spells names are not good since they will not “rock you”
Hermonine loves historical text editors along with reading old books.
Okey dokey, a cryptic hint. By the way I’ve never read Harry Potter but even I know that’s not how you spell Hermione.
Web
At the website we have a slightly modified version of the Apache default page. Checking the page source we see this comment:
TODO: Virtual hosting is good.
TODO: Register for hogwartz-castle.thm
Okey dokey, adding hogwartz-castle.thm to /etc/hosts. Doing this and visting the page reveals a login portal. I generate a name list based on Harry Potter characters and throw patator at it:
No dice. What about SQLi? Yes. I usually use sqlmap inside Burp Suite and this was no exception. It took a few attempts to get the parameters right but this is what it looked like:
Harry Turner,0,”My linux username is my first name, and password uses best64”,b326e7a664d756c39c9e09a98438b08226f98b89188ad144dd655f140674b5eb3fdac0f19bb3903be1f52c40c252c0e7ea7f5050dec63cf3c85290c0a2c5c885
Well, that’s a long hash! Hash-identifier says it’s SHA-512, and who am I to argue. Following the instruction, and using the information given, I ask John nicely:
Now we have the SSH password for harry. Oh also I tried this with Hashcat and it didn’t work. Shrug.
Old what’s ‘er name?
Let’s see what Harry can do:
Right, so we can become hermonine … ah yeah, sure.
The C library function time_t time(time_t *seconds) returns the time since the Epoch (00:00:00 UTC, January 1, 1970), measured in seconds
and
The C library function void srand(unsigned int seed) seeds the random number generator used by the function rand.
Definitions from tutorialspoint. So in the main method, the time in seconds is used to seed a random value, which is then compared to the guess. If the guess is correct, the impressive method is called, which then does setreuid and uses uname with a path. So we have to abuse uname, and we have to guess the correct number.
Non-random
We can get the system time in seconds like so:
So we run that on the box to see what the current system time is. We can create our own file:
In this we enter some value for timeval which is in the near future, and get out what the seeded random number would be. For this example:
Now we need to create a malicious uname on the box:
Then we start a listener. Note I did try this in /dev/shm first but it didn’t work; I assume /dev/shm was set as non-executable. It happens sometimes.
Now, we need to pass our non-random number to the binary at the right time. Presumably this is why we were given pwntools. We don’t need it; I just spammed this leading up to the time: