There are a few things I’ll (briefly) mention here.

REloaded

This room is dedicated for the RE challenges, each challenge has unique concepts divided in each binaries. As if now only phase 1 is added will decide about phase 2 on response.

This was REloaded from THM. There were five tasks; I did the first two and left it for now. The latest Ghidra didn’t want to run on my system.

HOTH

Hacker of the Hill #1 was released with three parts; Easy, Medium and Hard. I did the Easy stuff, and had a bit of a go at the Medium and Hard. I felt like I had the general idea of where to continue with some of the Medium and Hard but I didn’t pursue it. Write-ups are probably available by now; I may or may not revisit it later.

Lunizz CTF

This is the main thing I’m going to mention. It’s a Medium rated room from THM.

What and how?

I won’t go into much detail here. We’ve got mysql open to the world, but we need credentials. Fuzzing the website will lead us to:

http://10.10.223.51/instructions.txt

Which contains credentials for mysql:

runcheck:CTF_script_cave_changeme

We can login, and set a flag value:

┌──(root💀kali)-[/opt/thm/lunizz]
└─# mysql --host=10.10.111.183 -u runcheck -p 
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.32-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> use runornot;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [runornot]> update runcheck set run = '1';
Query OK, 1 row affected (0.343 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MySQL [runornot]> quit
Bye

Once we’ve done that we can issue commands to the server at

http://10.10.111.183/whatever/index.php

We can send ourselves a shell with this, I use the python3 version with Burpsuite Repeater.

Privesc

This is where it gets … weird. The intended method is to progress through two users; adam and mason then root. In order to do that, we need the passwords for these users. We have this script (more or less, this isn’t a direct copy) to help us find the password for adam:

import bcrypt
import base64

password = # link here
bpass = password.encode('ascii')
passed= str(base64.b64encode(bpass))
hashAndSalt = bcrypt.hashpw(passed.encode(), bcrypt.gensalt())
print(hashAndSalt)

salt = b'$2b$12$SVInH5XmuS3C7eQkmqa6UOM6sDIuumJPrvuiTr.Lbz3GCcUqdf.z6'
# I wrote this code last year and i didnt save password verify line... I need to find my password

The link in the password field was to the Queen song ‘We Will Rock You’ on Youtube, hinting that the user password would be found in the rockyou wordlist.

Spoiler alert; the password is isolsa_tabefX100pre. Where does this occur in rockyou?

┌──(root💀kali)-[/opt/thm/lunizz]
└─# cat -n /usr/share/wordlists/rockyou.txt| grep isolsa_tabefX100pre
7288825 isolsa_tabefX100pre
                                                                                                                                
┌──(root💀kali)-[/opt/thm/lunizz]
└─# wc -l /usr/share/wordlists/rockyou.txt 
14344392 /usr/share/wordlists/rockyou.txt

So rockyou contains 14.3 million passwords, and the target is 7.3 million in. So pretty close to the center of the list.

How can we check this? John won’t crack the hash (here I’ve put the correct password in a small wordlist):

┌──(root💀kali)-[/opt/thm/lunizz]
└─# john hash -w=./testing.list 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2021-03-01 04:13) 0g/s 18.75p/s 18.75c/s 18.75C/s asdas..isolsa_tabefX100pre
Session completed

Neither will Hashcat:

PS C:\Users\David\Downloads\hashcat-5.1.0> .\hashcat64.exe -m 3200 .\hash2.txt .\temp.txt
hashcat (v5.1.0) starting...
# etc
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2b$12$SVInH5XmuS3C7eQkmqa6UOM6sDIuumJPrvuiTr.Lbz3G...qdf.z6
Time.Started.....: Mon Mar 01 20:26:05 2021 (15 secs)
Time.Estimated...: Mon Mar 01 20:26:20 2021 (0 secs)

Right. So … what gives? Well, we need to use the salt from the file we were given:

┌──(root💀kali)-[/opt/thm/lunizz]
└─# cat check.py 
import bcrypt
import base64

password = 'isolsa_tabefX100pre'
bpass = password.encode('ascii')
passed= str(base64.b64encode(bpass))
hash = bcrypt.hashpw(passed.encode(), b'$2b$12$SVInH5XmuS3C7eQkmqa6UO')
stored_hash = b'$2b$12$SVInH5XmuS3C7eQkmqa6UOM6sDIuumJPrvuiTr.Lbz3GCcUqdf.z6'

if hash == stored_hash:
  print("match: ", password)

┌──(root💀kali)-[/opt/thm/lunizz]
└─# python3 check.py
match:  isolsa_tabefX100pre

Ok. Let’s say we use our python script and run through rockyou; how long would that take? Honestly I don’t know, but it would be a long time. Many hours. Yuck. I’ll be interested to see the official writeup for this, since if this was the intended method I don’t see how it got past testing:

Any brute force actions should take five minutes or less.

That’s from the official TryHackMe room creation guide, here.

Anyway, the thing is vulnerable to CVE-2021-3156 so I rooted it that way. The password for the other user mason was easier to guess from the clues left (northernlights) and the root method was something similar to Magician, with a service running on an internal port.