TryHackMe Clocky CTF Writeup
Today I will tell you the solution to the new Clocky machine.
NOTE: I did not add the mistakes I made while solving this to this writeup.
NMAP Scan
When I did nmap scan, I saw that three open ports over there.
First I checked port 80 and then 8000 but as you can see both forbidden.
FLAG 1
I did directory scan for both but port 80 didnt allow it. Probably these directories were blocked from external access so port 80 was only accepting the internal access for directories.
After port 80, I switched to scan port 8000. I used gobuster for that and got robots.txt file.
I saw that all .sql,.zip,.bak extension files are marked as “Disallow” to prevent them from being discovered by robots and of course Flag 1 was over there xD.
FLAG 2
When I saw this extensions, I wanted to run a file scan for these extension. I used gobuster with -x parametre for extension scanning and bingo! I got index.zip file.
I downloanded this file and started the enumaration.
File contents was as image below. There was a flag 2 file and a python App file.
FLAG 3
I opened the App.py file and started analyzing it. You should note that the time zone used by this app is GMT.
At the end of the python file was the port on which this application was run.
When I visited, I saw a small message there similar to “now is an illusion” and “80 milliseconds have already passed”, this hint helped me for writing a python script.
I found three endpoints in the App.py file. There were as you can see in the images below;
1- /administrator
2- /forgot_password
3- /password_reset
I checked all the points one by one. I realized that we can login from administrator as shown in the app.py file, from forgot_password we will get an string where we can reset our password using the username, and finally from password_reset we can reset our password using this string.
I had to come to forgot_password and enter a username, which would give me a string.
I went to the App.py file and examined how this string value was created to write my own python script.
NOTE: As I said at the beginning, let’s not forget that this app uses GMT and the 80 milliseconds rule.
After then, I needed to find the correct parameter to send this string with a bruteforce attack cuz this parameter was not given in App.py.
I found this parameter as follows, when I look at the other parameters used, such as username and password, they are defined as follows
user_provided_username = request.form[“username”]
user_provided_password = request.form[“password”]
and that’s how the token was defined;
user_provided_token = request.args.get(“TEMPORARY”)
I thought it was similar with password and username :) and I found the parametre as “token”.
NOTE: of course it could have been found with brute force.
Once I had enough information, I wrote my python script.
I won’t explain this python code in detail, but if anyone is curious, what it does briefly is that it creates a token by making a post request to the forgot_password point, and at the same time captures the time of this post request, creates token values for usernames and saves them in the hashes.txt file.
I used this hash file I created to perform a brute force attack with the Wfuzz tool as you can see image below.
When I got correct token, I went to password_reset point and used it.
When I logged in as administrator on dashboard, I got flag 3 and saw file downloader.
FLAG 4
I started to examine this file downloader with BurbSuite. I saw that this file downloader made a post request with the location parameter. There was definitely a SSRF here.
I continued to examine this request on the Repeater. I wanted to make request with localhost but “localhost”, “127” and similar things didnt allowed by this app and reditecting me to dashboard.
But I knew I could get around that by converting ip addresses to hex values.
When I converted this ip address I got 0x7f000001 hex value.
if you don’t believe it, you can type 0x7f000001 on your browser window and see that it goes to 127.0.0.1 or you can just use “ping 0x7f000001”.
Now that we have access to the internal network, I can do the directory scan that I couldn’t do on port 80 in the first place.
NOTE: I found this file name by guessing, but I am telling you because this is the right way.
I used Wfuzz tool again. I used -u parametre for make a request to url, -d for post data and -H as http header for session cookie. I was I used two wordlists, one for files and one for extensions.
I got database.sql file. Was not too difficult name to predict XD.
When I downloaded the file it contained flag 4 and a user password.
I tried this password for clarice and jane, which we already saw in app.py. It was clarice’s password.
PRIVILEGE ESCALATION — FLAG 5
When I connected with SSH, flag 5 was there
I knew a mysql service was running but I checked the ports used to confirm.
In the App.py file we were already given a username (clocky_user) but no password. Inside the file I saw that this password is used as an environment variable as db.
When I listed the hidden files, I found the variable file named .env, it contained the password defined to the db variable.
using this password I made a mysql connection and listed the databases.
The clocky database held the credentials of the administrator account whose password we reset. Other databases are databases that are on mysql by default and hold various information. Among these, the mysql database holds user information in the user table.
After switching to mysql database, I listed the tables and there was the user table.
The column named authentication_string held mysql user passwords, but when I listed it, it was unreadable.
I did a little google search and found a SQL query in a github issue that would work for me.
When I used this query, it gave me hash values in a proper format. I would like to thank the github user “philsmd” for this.
SELECT CONCAT_WS('$',SUBSTR(authentication_string,1,6),LOWER(HEX(SUBSTR(authentication_string,8,20))),SUBSTR(authentication_string,28,43)) AS hash FROM user WHERE user = 'dev';The password for the root database user was empty, so I used this query for “dev” user.
I cracked this hash value I found with hashcat. I cracked the password for user “dev”, it wasn’t jane’s password, it was root’s xD
FLAG 6
Thank you for reading , cya next !
