“Elf Charlie likes to make notes and store them on his server. Are you able to take advantage of this functionality and crack his password?”
For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.
Question#1 What is Charlie going to book a holiday to?
Let’s start off by using Nmap to see what’s going on over there.
nmap -sV -O <target ip address>
Looks like we have an open SSH connection on Port 22 and a web server on Port 80.
Open up your browser to check out that website using your target IP in the address bar:
Looks like Elf Charlie has quite a few personal notes on here. Including his vacation plans!
That’s the answer you need for flag one.
Question #2 Read /etc/shadow and crack Charlie’s password.
For this one, right-click anywhere on the page and choose “Inspect Element”, so we can try to see where Elf Charlie is pulling these notes of his from.
Looks like he is using a “getNote” function to pull the notes from /views/notes/<name of note> where they are stored on the web server, so that he can show them on the webpage. He is also using /get-file/.
There should be a way to exploit this to grab what we need from the /etc/shadow file. There are quite a few ways to go about this. But I am going to do the following:
In your browser navigation bar, type:
%2F means the same thing as /. We write it this way sometimes so that web servers don’t get confused when they are attempting to go through directories. The source materials have a short blog post about this HERE.
Now hit enter.
Nice. Now we will need to crack Charlie’s password using something like Hashcat.
We will also need to make sure we have a wordlist to help Hashcat. Wordlists are just a very long list of plain text words that password crackers scan through to see if your password hash matches any of them. A very popular wordlist is called rockyou.txt, which can be downloaded HERE.
Before we let Hashcat start cracking, we need to find out exactly what type of hash this is so that we can set the mode. This link HERE has a list of all the different types of hash modes that Hashcat can handle.
Notice that Charlie’s hash starts with $6.
We can look through the link provided to see if we can find any hash examples that look the same.
A short ways down we see that the hash appears to be sha512crypt, which is mode 1800.
Create a text file on your Linux machine and title it something like “hash.txt”. This is where Hashcat will go to grab your hash.
Copy and paste just the bold portion of the hash above into the “hash.txt” file you just made (including the period after L, but NOT the semi-colon), hit save.
Run this command:
hashcat -m 1800 <hash file location> <wordlist file location>
Very shortly, you will have Elf Charlie’s ridiculously simple password:
Question#3 What is flag1.txt?
Let’s use Elf Charlie’s credentials to connect to the SSH server and grab that file, shall we?
ssh charlie@<target ip address>
Type ls and you can see that we are in exactly the place we want to be:
Got to brush up on some of my Hashcat skills today (I always forget the proper syntax) and also learn a bit about Local File Inclusion. Especially the importance of using a whitelist to control what is allowed to be pulled from the server!
Happy Hacking ❤