Mr Robot CTF Walkthrough | Tryhackme

Mr Robot CTF | 

Connection to network

Connected to tryhackme network using provided vpn configuration

Nmap Scan

nmap -sC -sV **.**.*.*** -v | tee nmap/inital
Note: **.**.*.*** is your ip address.


22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_  Supported Methods: HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
| http-methods: 
|_  Supported Methods: HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject:
| Issuer:
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015-09-16T10:45:03
| Not valid after:  2025-09-13T10:45:03
| MD5:   3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97
|_SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b

Directory brute force using go-buster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u **.**.*.***
Always check for robots.txt file. 

We find key-1-of-3.txt and file fsocity.dic which looks like a dictionary file of usernames and passwords.

Nothing else interesting except that admin and login part. Seems juicy! Lets check them.

http://**.**.*.***/login redirects to http://**.**.*.***/wp-login.php and it’s WordPress admin authentication page. So, considering the word-list file we found earlier, we need to brute force out way in using that file. Maybe both username and passwords are from this same file and we don’t have to use rock-you.

I used HYDRA to bruteforce username. Since bruteforcing both username and password parallely is not practical, looking at the incorrect login attempt we are notified that only the USERNAME is not correct. Hmm, so we can bruteforce to see if a username from dic file has correct username.

-$ sudo hydra -L fsociety.dic -p test **.**.*.*** http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^: Invalid username."

And it returned a response with a username that exists for login.

Now, I brute-force again with username we’ve found but using that dic file to try passwords for this username.

-$ sudo hydra -l Elliot -P fsociety.dic **.**.*.*** http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^: The password you entered for the username"

Man this is taking a lot of time. What’s going on? I even tried rockyou.txt but doesn’t work. Then I took a look at the dat file and I saw that passwords seem to occur more than once. Maybe that’s why it’s taking so long. Let’s filter the file with only unique items and try again.

-$ cat fsociety.dic | sort -u | uniq > filtered.dic
-$ sudo hydra -l Elliot -P filtered.dic **.**.*.*** http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^: The password you entered for the username"

After an hour, finnaly my hydra babe got hit the passcode.

Upon login we see a wordpress admin panel where we can upload files. Hmm upload files. Nicccce! Lets try uploading a reverse shell.

I tried uploading php reverse shell as a media file but didn't work. Combination like .php5, .php.jpg ( literally presented as image upon access although got uploaded), So, looked for other options. Then I found different php files under themes. Look at that, revshell was already there and I coultn't see it. I then chose one of the *.php extentioned theme file and replaced the code with that of revshell.

Then I started a netcat listener as:

-nc -lvp 1234

And opened that part of theme from browser. And boom, a connection was received with non interactive rev-shell.

Upon lsing I saw two files under /home/robots.

  1. key - accessible only by robot user
  2. random raw-md5 hashed password file which seems to be of that robot user.

Cracking md5 with John The Ripper

-john --format=raw-md5 --wordlist=rockyou.txt <hashfile>

Found it!

Escalating to user robot

suing into robot is not possible with non interactinve shell. Let's make our shell a bit interactive.

##Making interactive shell with python

-python -c 'import pty;pty.spawn("/bin/sh");'

Going robot

-su robot

Now I can access the second key as I have read permission.

Escalating to root

Finding escalation vector

I just used Linpeas and found that Nmap is setuid executable. So, nice.

-nmap --interactive

Nice! I'm root now. Now we can read the final key under /root directory if it exists, as:

-cat /root/key-3-of-3.txt

Post a Comment